DependencyScanning - Maven + GitLab Package Repository

marcosp · April 18, 2023, 4:22pm

Hi all!
I’ve a project who uses Gitlab package registry to host some custom maven libs.
I want to use Dependency Scanning in my pipeline, which I’m enabling as follows:

include:

template: Jobs/SAST.latest.gitlab-ci.yml
template: Jobs/Secret-Detection.latest.gitlab-ci.yml
template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml

When my pipeline runs, the gemnasium job fails because it didn’t find my custom libs.

Caused by: org.eclipse.aether.transfer.ArtifactNotFoundException: Could not find artifact com.xxx:xxxx:jar:1.0.0 in gitlab-maven (https://gitlab.com/api/v4/groups/######/-/packages/maven)
My guess is: the gemnasium job doesn’t know how to locate that lib, so I thought the solution maybe pass as an argument the ci_settings.xml file, but I’m unable to do so.
Any thought would be very appreciated.

Thanks!

marcosp · April 18, 2023, 10:09pm

I’ve found my error!
To override the default behaviour of the job, you must add variables, declaring exactly the job’s name, in this case “gemnasium-maven-dependency_scanning”. The variable I’ve added was MAVEN_CLI_OPTS, with value “–settings ci_settings.xml”

That’s all!

gitlab-greg · April 18, 2023, 11:43pm

Thanks for sharing your solution here for anyone else who runs into this, @marcosp !