Trace the source of an artifact in Nexus Repository

Is it somehow possible to trace the source of an artifact in a maven proxy repository in Nexus (either OSS or Pro) ? And by trace I mean the source which added a particular dependency in their pom file.
Because of the way Maven works, it downloads all transitive dependencies automatically…as an example I see an artifact called xmlpull-1.1.3.1.jar in my maven-proxy repo and I have no clue who included it. My intention is to trace the source of this.

I know that Nexus shows the uploader and uploaded ip but that does not tell me the actual source pom. User might have just run a mvn compile and may not have this artifact as direct dependency in any of their application pom, but some transitive dependency may have pulled it.

NXRM just proxies the requests for the artifacts. It doesn’t know anything about the transitive dependencies. You can run mvn dependency:tree on your projects to try to track down the source of the dependency.

It would work for dependencies coming out of my pom, but it still does not show me the dependencies which are coming out of maven plugin. E.g. as I ran mvn dependnecy:tree it downloaded tons of jars, which were probably referred by maven dependency plugin, and won’t show up in mvn dependnecy:tree.

You can use Dependency Track for this :slight_smile:

There are plenty of software bill of material software that exists including our Nexus Lifecycle, however that still likely wouldn’t as Rich mentioned track build plugin dependencies.

In Dependency Track you can see the usage of a specific dependencies across a whole portfolio of projects. In Artifactory you are able to see which CI build produced the artifact…

Again, he’s not asking about project dependencies.