Why does the OWASP Dependency-Check fail reaching repository.sonatype.org?

Question

Why does the OWASP Dependency-Check fail reaching https://repository.sonatype.org?

Answer

As of February 2015, Sonatype is explicitly blocking the requests against repository.sonatype.org made by OWASP Dependency-Check.

Workaround

The OWASP Dependency-Check is a third-party tool not maintained by Sonatype that had a default configuration which sent GET requests to https://repository.sonatype.org/service/local/identify/sha1/ to get checksums for components.

An alternative endpoint using search.maven.org has been provided to the tool authors. Changes to use the new endpoint by default were made in version 1.2.6 of the tool.

Dependency Check tool users should upgrade OWASP dependency check to version 1.2.6 or greater to make use of the search.maven.org endpoint. Alternately, configure the tool to use your own Nexus Repository Manager instance.

Reference

• Acknowledgement of the issue with the tool authors
• OWASP Dependency Check 1.2.6 release notes ( item #7 )