Local maven repository is not used in Azure Pipelines (Snyk Security Scan task)

In Azure Pipelines, when running a typical Maven build (which resolves the project dependencies from a private repository manager, such as Artifactory or Nexus), the project dependencies are successfully resolved and end up in the Maven local repository on the Microsoft-hosted agent (we are using `ubuntu-latest` ([ubuntu-22.04](https://github.com/actions/runner-images/blob/main/images/linux/Ubuntu2204-Readme.md) in this case).

Then, when this [snyk-mvn-plugin](https://github.com/snyk/snyk-mvn-plugin) is run as part of the [Snyk Security Scan](https://marketplace.visualstudio.com/items?itemName=Snyk.snyk-security-scan) task in Azure Pipelines, we can see that the following command is run (seen in the build output):

```shell
snyk-mvn-plugin Maven command: mvn dependency:tree -DoutputType=dot --batch-mode --non-recursive --file="pom.xml"
```

We can also see that the Maven working directory is (seen in the build output):

```shell
snyk-mvn-plugin Maven working directory: /home/vsts/work/1/s
```

And the result is that the plugin attempts to resolve dependencies from Maven Central, instead of using the Maven Local Repository (`/home/vsts/.m2/repository`) which already contains the project dependencies.

The Maven home location is `/usr/share/apache-maven-3.8.7` on the Microsoft-hosted agent and the Maven Local Repository is `/home/vsts/.m2/repository`. This is not something we explicity setup and this is already setup on the agent.

_FYI, the Maven build task and the Snyk Security Scan task both run on the same agent and job and therefore there is no additional complexity of sharing dependencies between jobs/agents etc._

We have tried following the instructions on [Snyk documentation - How do I pass commands through snyk to the package manager?](https://support.snyk.io/hc/en-us/articles/360001781957-How-do-I-pass-commands-through-snyk-to-the-package-manager-) to pass `-- -Dmaven.repo.local="/home/vsts/.m2/repository"` as additional arguments to the Snyk CLI to make sure that the maven local repository is used and these instructions do not work at all and the step crashes.

**Environment:**

* Microsoft-hosted agent in Azure Pipelines running `ubuntu-latest` ([ubuntu-22.04](https://github.com/actions/runner-images/blob/main/images/linux/Ubuntu2204-Readme.md))

* [Snyk Security Scan](https://marketplace.visualstudio.com/items?itemName=Snyk.snyk-security-scan) version `1.1.2`
* [Snyk CLI](https://github.com/snyk/cli) version `1.1092.0` (this is the latest at time of writing and for your information, the [Snyk Security Scan](https://marketplace.visualstudio.com/items?itemName=Snyk.snyk-security-scan) task always uses the latest CLI version.
* Region: EU (with the `SNYK_API=https://app.eu.snyk.io/api` environment variable set in our CI pipeline, as documented on [Snyk documentation - Regional hosting and data residency](https://docs.snyk.io/snyk-processes/data-residency-at-snyk))

**Additional links:**

* [Snyk documentation - Azure Pipelines integration](https://docs.snyk.io/integrations/ci-cd-integrations/azure-pipelines-integration)




Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Local maven repository is not used in Azure Pipelines (Snyk Security Scan task) #143

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Local maven repository is not used in Azure Pipelines (Snyk Security Scan task) #143

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions