Dependency-check includes an analyzer that will check for the Maven GAV (Group/Artifact/Version) information for artifacts in the scanned area. By default the information comes from Maven Central, but can be configured to use a local repository if necessary. If the artifact’s hash is found in the configured Nexus repository, its GAV is recorded as an Identifier and the Group is collected as Vendor evidence, the Artifact is collected as Product evidence, and the Version is collected as Version evidence.
By default, the Nexus analyzer uses the Sonatype Nexus Repository to search for SHA-1 hashes of dependencies. If the proxy is configured for Dependency Check, that proxy is used in order to connect to the Nexus Central repository. So if you’re using --proxyurl on the command-line, the proxyUrl setting in the Maven plugin, or the proxyUrl attribute in the Ant task, that proxy will be used by default. Also, the proxy port, user, and password configured globally are used as well.
If you have an internal Nexus repository you want to use, Dependency Check can be configured to use this repository rather than Sonatype. This needs to be a Nexus repository (support for Artifactory is planned). For a normal installation of Nexus, you would append /service/local/ to the root of the URL to your Nexus repository. This URL can be set as:
If this repository is internal and should not use the proxy, you can disable the proxy for just the Nexus analyzer. Setting this makes no difference if a proxy is not configured.
Finally, the Nexus analyzer can be disabled altogether.
You may see a log message similar to the following during analysis:
Mar 31, 2014 9:15:12 AM org.owasp.dependencycheck.analyzer.NexusAnalyzer initializeFileTypeAnalyzer WARNING: There was an issue getting Nexus status. Disabling analyzer.
At the beginning of analysis, a check is made by the Nexus analyzer to see if it is able to reach the configured Nexus service, and if it cannot be reached, the analyzer will be disabled. If you see this message, you can use the configuration settings described above to resolve the issue, or disable the analyzer altogether.
