Problem:
When encountering an issue testing a Maven project, debug (-d
command) logs show:
Could not resolve dependencies for project <details> Blocked mirror for repositories
Discussion:
This is not an error with Snyk, but points to an improvement in Maven, introduced in version 3.8.1, which prevents downloading from HTTP by default. See Maven release documentation for more.
When testing in CLI/IDE or CICD, Snyk uses mvn
to build the dependency tree and interpret the transitive dependencies before comparing it against our vulnerability database.
If mvn
cannot resolve the dependencies to build the dependency tree, then the scan cannot complete.
Resolution:
As described in the link above, the options depend on where the repository is defined, and if a version of the dependency exists that does not use the HTTP repository URL.
Options to fix are:
-
If the repository is defined in your
pom.xml
, please fix it in your source code. -
Upgrade the dependency version to a newer version that replaced the obsolete HTTP repository URL with a HTTPS one,
-
Keep the dependency version but define a mirror in your settings.
-
You can then pass
-- -s /path/to/settings
as an additional parameter to the Snyk CLI to reference it.
-
Alternatively, you could make sure in the pipeline that only an older Maven version that does not force HTTP is installed, but that may bring other issues and is not recommended.