From 56639d3965ed217f4d1e83ff8420dc60228ce542 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 28 Dec 2014 09:15:34 -0500 Subject: [PATCH] updated information about the nexus analyzer and how it relates to the central analyzer Former-commit-id: 9d3f9b4f3ea30744f6f8f8c2883fc9d8b0be3a0d --- src/site/markdown/nexus-analyzer.md | 63 ++++++----------------------- 1 file changed, 13 insertions(+), 50 deletions(-) diff --git a/src/site/markdown/nexus-analyzer.md b/src/site/markdown/nexus-analyzer.md index 5c3ebb8b6..b8992182b 100644 --- a/src/site/markdown/nexus-analyzer.md +++ b/src/site/markdown/nexus-analyzer.md @@ -1,54 +1,17 @@ Nexus Analyzer ============== -Dependency-check includes an analyzer that will check for the Maven GAV -(Group/Artifact/Version) information for artifacts in the scanned area. By -default the information comes from [Maven Central][1], but can be configured to -use a local repository if necessary. If the artifact's hash is found in the -configured Nexus repository, its GAV is recorded as an Identifier and the Group -is collected as Vendor evidence, the Artifact is collected as Product evidence, -and the Version is collected as Version evidence. +The Nexus Analyzer has been superceded by the Central Analyzer. If both the +Central Analyzer and Nexus Analyzer are enabled and the Nexus URL has not +been configured to point to an instance of Nexus Pro the Nexus Analyzer will +disable itself. -Default Configuration ---------------------- - -By default, the Nexus analyzer uses the [Sonatype Nexus Repository][2] to search -for SHA-1 hashes of dependencies. If the proxy is configured for Dependency -Check, that proxy is used in order to connect to the Nexus Central repository. -So if you're using `--proxyurl` on the command-line, the `proxyUrl` setting in -the Maven plugin, or the `proxyUrl` attribute in the Ant task, that proxy will -be used by default. Also, the proxy port, user, and password configured globally -are used as well. - -Overriding Defaults -------------------- - -If you have an internal Nexus repository you want to use, Dependency Check can -be configured to use this repository rather than Sonatype. This needs to be a -Nexus repository (support for Artifactory is planned). For a normal installation -of Nexus, you would append `/service/local/` to the root of the URL to your -Nexus repository. This URL can be set as: - -* `analyzer.nexus.url` in `dependencycheck.properties` -* `--nexus ` in the CLI -* The `nexusUrl` property in the Maven plugin -* The `nexusUrl` attribute in the Ant task - -If this repository is internal and should not use the proxy, you can disable the -proxy for just the Nexus analyzer. Setting this makes no difference if a proxy -is not configured. - -* `analyzer.nexus.proxy=false` in `dependencycheck.properties` -* `--nexusUsesProxy false` in the CLI -* The `nexusUsesProxy` property in the Maven plugin -* The `nexusUsesProxy` attribute in the Ant task - -Finally, the Nexus analyzer can be disabled altogether. - -* `analyzer.nexus.enabled=false` in `dependencycheck.properties` -* `--disableNexus` in the CLI -* `nexusAnalyzerEnabled` property in the Maven plugin -* `nexusAnalyzerEnabled` attribute in the Ant task +The Nexus Analyzer will check for the Maven GAV (Group/Artifact/Version) information +for artifacts in the scanned area. This is done by determining if an artifact exists +in a Nexus Pro installation using the SHA-1 hash of the artifact scanned. If the +artifact's hash is found in the configured Nexus repository, its GAV is recorded as +an Identifier and the Group is collected as Vendor evidence, the Artifact is +collected as Product evidence, and the Version is collected as Version evidence. Logging ------- @@ -60,9 +23,9 @@ You may see a log message similar to the following during analysis: At the beginning of analysis, a check is made by the Nexus analyzer to see if it is able to reach the configured Nexus service, and if it cannot be reached, the -analyzer will be disabled. If you see this message, you can use the -configuration settings described above to resolve the issue, or disable the -analyzer altogether. +analyzer will be disabled. If you see this message, you can use the configuration +settings described in either the CLI, Ant, Maven, or Jenkins plugins to resolve +the issue, or disable the analyzer altogether. [1]: http://search.maven.org/ "Maven Central" [2]: https://repository.sonatype.org/ "Sonatype Nexus Repository"