Gemnasium-maven-dependency_scanning

vadymus96 · October 16, 2021, 1:32am

Hello,

I use GitLab to build my Java app. I included “Security/Dependency-Scanning.gitlab-ci.yml” template to my pipeline for dependency scanning. Then I found, that this scanning does another build by Maven from scratch for its purpose. To avoid the dependencies downloading again, I specified a variable:

variables:
  MAVEN_OPTS: "-Dmaven.repo.local=.m2/repository"

Also I set:

cache:
    paths:
      - .m2/repository/

in the build stage in hope that next stage (“dependencies scanning”) will use this directory with already downloaded dependencies. But it doesn’t help, dependencies download again.

Does anyone can help with this?

Thanks.

JohnDavidLarsen · January 6, 2023, 3:43pm

Sadly the maven.repo.local argument needs to be an absolute. So you need to either append ${PWD} to your argument, or as I did simply add a before_script to cp -r .m2/repository /root/.m2/

Topic		Replies	Views
DependencyScanning - Maven + GitLab Package Repository DevSecOps maven	11	1824	November 3, 2023
GitLab Dependency Scanning with private repo DevSecOps	2	1220	June 28, 2022
Dependency scanning fails without details of the error or what is this expected key DevSecOps ci , maven , test , security	1	1823	November 5, 2019
GitLab Dependency Scanning (Gemnasium) pricing DevSecOps ci	0	606	April 8, 2020
Dependency Scan and OWASP dependency scan results differ DevSecOps maven , secure	0	1521	October 5, 2020

Gemnasium-maven-dependency_scanning

Related topics