Using the Maven Repositories option

These settings are targeted at the com.castsoftware.jee technology extension.

Overview

When analyzing an application that includes Maven based source code, nodes need to know where to find any required Maven local or remote HTTP/S repositories: this panel allows you to do this on a “global” level, (i.e. for all applications managed in CAST Imaging). The location of the repositories is crucial to ensure that any associated JAR files can be automatically discovered and that POM dependencies can also be located during the analysis.

The same functionality also exists at application level, i.e. specific to each application.

What are the default settings?

Several well known public repositories will be predefined: https://repo.maven.apache.org/maven2 is marked as the primary repository (i.e. the most complete repository) which will always be searched first.

Does the order of the repositories matter?

Yes, the order of the repositories does matter: CAST Imaging will search the repositories for Maven artifacts required by your source code in the order that they appear in the panel. CAST Imaging will use the artifact in the first repository it finds it in.

Use drag and drop to change the order:

Troubleshooting issues accessing remote HTTPS repositories

In certain situations, an error may be registered in the Delivery log when the Node attempts to access an HTTPS repository. For example, in the log located at delivery\{app-guid}\data\{guid}\{guid}\{guid}\DMTDeliveryReport.CastLog2:

ERROR cast.dmt.engine.extractor.jee.maven.http.connectionFailed Unknown format id: cast.dmt.engine.extractor.jee.maven.http.connectionFailed =>  %URL%="https://my.maven.repo/artifactory/maven-release/"

%MESSAGE%="sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(:0).

The error reported in the log is generated by the DeliveryManagerTool-CLI.exe tool located on the node. This tool uses the Java JRE delivered with CAST Imaging Core in the following location:

%PROGRAMFILES%\CAST\<release>\jre\

This error usually occurs if the remote HTTPS repository you have defined is using an SSL certificate:

  • where the signing authority is not listed in the Java JRE cacerts file located at %PROGRAMFILES%\CAST\<release>\jre\security\cacerts
  • that is self-signed

Resolving the issue involves importing the required SSL certificates into the Java JRE cacerts Java keystore (located in %PROGRAMFILES%\CAST\8.4\jre\lib\security) delivered with CAST Imaging Core. You should ensure that all certificates are imported, especially if you have a “bundle” containing multiple embedded certificates. This process is out of the scope of this document and you should contact CAST Support for advice.