Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: enable local proxy configuration in maven plugin configuration #5696

Merged
merged 5 commits into from
May 16, 2023
Merged

feat: enable local proxy configuration in maven plugin configuration #5696

merged 5 commits into from
May 16, 2023

Conversation

mischa-n
Copy link
Contributor

@mischa-n mischa-n commented May 4, 2023

Relates to Issue #5040

Description of Change

CICD-SEC-03 recommends:

  1. ... packages are pulled through an internal proxy rather than directly from the internet ...
  2. ... pull packages from internal repositories ...

We have solved (2), trust our developers, they trust the developers of the third party libraries in use, and those trust the developers of dependent fourth party libraries ...
Nevertheless, we would like to go one step further and completely disable access to the Internet in our CI/CD pipeline.
Therefore, we need to configure a proxy for the dependency-check-maven plugin.

Currently, you can define a proxy to use in the dependency-check-maven plugin via the Maven settings or the system property http.proxyHost.
However, in both cases, the configured proxy is used not only for loading data for analysis, but potentially for dependency resolution as well:

With the proposed change, a local proxy can be configured for the dependency-check-maven plugin, which is then used exclusively for loading the analysis data:

<configuration>
	...
	<proxy>
		<host>myproxy</host>
		<port>1234</port>
	</proxy>
	...
</configuration>

Have test cases been added to cover the new functionality?

no

@boring-cyborg boring-cyborg bot added the maven changes to the maven plugin label May 4, 2023
jeremylong
jeremylong requested changes May 7, 2023
View reviewed changes
Copy link
Owner

@jeremylong jeremylong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any place we are accepting credentials we should allow this to be retrieved from the settings.xml.

maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java Show resolved Hide resolved
@mischa-n
Copy link
Contributor Author

@jeremylong : is there anything else I can do here to get the PR accepted?

@jeremylong jeremylong added this to the 8.3.0 milestone May 16, 2023
@jeremylong jeremylong merged commit dfdb405 into jeremylong:main May 16, 2023
@jeremylong
Copy link
Owner

Sorry about the delay - thanks for the PR!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeremylong jeremylong jeremylong approved these changes

Assignees
No one assigned
Labels
maven changes to the maven plugin
Projects
None yet
Milestone
8.3.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mischa-n @jeremylong