Skip to content

Why does the OWASP Dependency-Check fail reaching repository.sonatype.org?⚓︎

Question⚓︎

Why does the OWASP Dependency-Check fail reaching https://repository.sonatype.org?

Answer⚓︎

As of February 2015, Sonatype is explicitly blocking the requests against repository.sonatype.org made by OWASP Dependency-Check.

Workaround⚓︎

The OWASP Dependency-Check is a third-party tool not maintained by Sonatype that had a default configuration which sent GET requests to https://repository.sonatype.org/service/local/identify/sha1/ to get checksums for components.

An alternative endpoint using search.maven.org has been provided to the tool authors. Changes to use the new endpoint by default were made in version 1.2.6 of the tool.

Dependency Check tool users should upgrade OWASP dependency check to version 1.2.6 or greater to make use of the search.maven.org endpoint. Alternately, configure the tool to use your own Nexus Repository Manager instance.

Reference⚓︎