Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't use dependency-check plugin in Azure Devops due to large pom size #6823

Open
martijndebruijn opened this issue Jul 9, 2024 · 7 comments
Open

Can't use dependency-check plugin in Azure Devops due to large pom size #6823

martijndebruijn opened this issue Jul 9, 2024 · 7 comments
Labels
question

Comments

@martijndebruijn
Copy link

Our builds with the lates version of the owasp-dependency plugin are failing due to a Azure specific issue with large pom files.

The latest version of Solr which is used by the plugin has a very large pom (https://repo1.maven.org/maven2/org/apache/lucene/lucene-solr-grandparent/8.11.3/lucene-solr-grandparent-8.11.3.pom) of 529Kb which is hitting the max pom size of Azure Devops.

[maven/v1/org/apache/lucene/lucene-solr-grandparent/8.11.3/lucene-solr-grandparent-8.11.3.pom,](https://pkgs.dev.azure.com/BeFrank/_packaging/befrank-libraries/maven/v1/org/apache/lucene/lucene-solr-grandparent/8.11.3/lucene-solr-grandparent-8.11.3.pom,) status: 400 Bad Request - pom.xml file is too large; the limit is 524288 bytes

Does anyone know a workaround for this problem?
@martijndebruijn martijndebruijn changed the title Can't use dependency-check plugin in Azure due to large pom size Can't use dependency-check plugin in Azure Devops due to large pom size Jul 9, 2024
@jeremylong
Copy link
Owner

This project does not support AzureDevOps. I would post the issue here: https://github.com/dependency-check/azuredevops

@cmardini
Copy link

cmardini commented Jul 17, 2024
edited

I think if dependency-check pom line 120 can move to lucene-core 9.11.1 (from 8.11.3) that will remove the dependency on lucene-solr-grandparent completely. Of course, it may or may not be "just that simple".

Azure DevOps Maven Artifact Feeds seem to have a pom file size limit (currently at 524288 bytes).

@cmardini
Copy link

cmardini commented Jul 17, 2024
edited

I think if dependency-check pom line 120 can move to lucene-core 9.11.1 (from 8.11.3) that will remove the dependency on lucene-solr-grandparent completely. Of course, it may or may not be "just that simple".

Azure DevOps Maven Artifact Feeds seem to have a pom file size limit (currently at 524288 bytes).

and
lucene-analyzers-common --> lucene-analysis-common

and I see that lucene 8.X is still having new releases alongside 9.X releases... so possibly not straightforward.

@cmardini
Copy link

fyi: For myself, I got the large POM issue resolved in Azure Artifacts. I'm not sure if it applies globally or just to my feed.

@martijndebruijn
Copy link
Author

fyi: For myself, I got the large POM issue resolved in Azure Artifacts. I'm not sure if it applies globally or just to my feed.

How?

@cmardini
Copy link

cmardini commented Aug 2, 2024

fyi: For myself, I got the large POM issue resolved in Azure Artifacts. I'm not sure if it applies globally or just to my feed.

How?

I used an internal process.

Externally, my suggestion would be to start here: https://developercommunity.visualstudio.com/AzureDevOps/report

My description was something like:

Description of Issue: The maven dependency-check plugin version 10.0.3, which is used to find vulnerabilities/CVEs at development/build-time, requires org.apache.lucene:lucene-solr-grandparent:pom:8.11.3 (https://repo.maven.apache.org/maven2/org/apache/lucene/lucene-solr-grandparent/8.11.3), which has a POM file that’s 542261 bytes. When we try to fetch it using Azure Artifacts, we get the following error:

[INFO] --- dependency-check:10.0.3:check (default) @ gkcc ---
Downloading from central: https://pkgs.dev.azure.com/.../maven/v1/org/apache/lucene/lucene-solr-grandparent/8.11.3/lucene-solr-grandparent-8.11.3.pom
...
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:10.0.3:check (default) on project gkcc: Execution default of goal org.owasp:dependency-check-maven:10.0.3:check failed: Plugin org.owasp:dependency-check-maven:10.0.3 or one of its dependencies could not be resolved: Failed to collect dependencies at org.owasp:dependency-check-maven:jar:10.0.3 -> org.owasp:dependency-check-core:jar:10.0.3 -> org.apache.lucene:lucene-core:jar:8.11.3: Failed to read artifact descriptor for org.apache.lucene:lucene-core:jar:8.11.3: The following artifacts could not be resolved: org.apache.lucene:lucene-solr-grandparent:pom:8.11.3 (absent): Could not transfer artifact org.apache.lucene:lucene-solr-grandparent:pom:8.11.3 from/to central (https://pkgs.dev.azure.com/.../maven/v1): status code: 400, reason phrase: Bad Request - pom.xml file is too large; the limit is 524288 bytes (DevOps Activity ID: BD18AC76-...) (400) -> [Help 1]

and

% curl https://redacted:[email protected]/.../maven/v1/org/apache/lucene/lucene-solr-grandparent/8.11.3/lucene-solr-grandparent-8.11.3.pom     
{"$id":"1","innerException":null,"message":"pom.xml file is too large; the limit is 524288 bytes","typeName":"Microsoft.VisualStudio.Services.Maven.Server.Exceptions.MavenPomSizeLimitExceededException, Microsoft.VisualStudio.Services.Maven.Server","typeKey":"MavenPomSizeLimitExceededException","errorCode":0,"eventId":3000}

@martijndebruijn
Copy link
Author

Thanks. I've created an issue with Microsoft: https://developercommunity.visualstudio.com/t/pomxml-file-is-too-large;-the-limit-is-/10725600

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cmardini @jeremylong @martijndebruijn