I maintain system that contains a complete inventory of every dependency in every one of my projects. Latest version information is derived via connection to maven central, jboss-releases, etc (just using maven as an example).
I want to connect to my NXRM so that latest version info is reported for all internal components. Well… it works great (including the authentication) but I cannot figure out how to configure things so that SNAPSHOT versions are excluded.
When I point at the “standard” Maven URL (the proxy that has a score of more members, including our releases and snapshots repos) then I get SNAPSHOT version information on everything internal. ie, both releases and for SNAPSHOT components themselves. So, I guess that this would be 100% expected.
When I update the URL to use our hosted “maven-releases” repo directly then I only get latest version info for releases… but it still tells me that every single component is out of date because it is still telling me that the latest version is a SNAPSHOT version.
So, any thoughts on how I might go about solving this?
This doesn’t really sound like a question about Nexus to me. It sounds more like the Maven CLI tool is telling you something? If so you may want to access your question on the maven users list.
I am not using the Maven CLI tool. I am using Dependency-Track, which should be familiar to Sonatype!
Dependency-Track comes “out of the box” with multiple repositories defined for different ecosystems (ranging from cargo to python). For maven, there are several repos defined. eg, for maven-central, the URL used is:
With that, Dependency-Track succesfully reports the latest versions of all Java components that we are using that come from maven-central. Now that the latest development snapshots of Dependency-Track support authentication for repos, I have the chance to connect to our NXRM repo for the first time and report latest version information for internal components.
But, as explained above, things are not working as desired. SNAPSHOT versions are always reported as being the latest version, which (whilst technically true) is NOT what is desired. So what URL in NXRM should be used? Do I maybe need to configure NXRM to (say) add a new proxy and use that URL?
The above problem is now addressed and will be implemented in Dependency-Track v4.7.0 (which should be released before the end of November 2022).
In the end the solution was very simple… DT is currently retrieving versions using the latest tag. v4.7.0 will use release tag and if that is not present use latest.