Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Maven.org Rate Limit due to scanning a large application #1173

Closed
gysel opened this issue Aug 10, 2021 · 4 comments · Fixed by #1511
Closed

Maven.org Rate Limit due to scanning a large application #1173

gysel opened this issue Aug 10, 2021 · 4 comments · Fixed by #1511
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. triage/support Indicates an issue that is a support question.

Comments

@gysel
Copy link

gysel commented Aug 10, 2021
edited
Loading

I just got locked out of search.maven.org because I was scanning a large Java application. I only get 403 Forbidden responses now.

The error I see in the debug log is:

Analysis error: jar/war/ear parse error: failed to parse WEB-INF/classes/repository-b.jar: failed to search by SHA1: status 403 Forbidden from http://search.maven.org/solrsearch/select?q=1%3A%22ad4a3a6e728fc79537d5a04edbdd884ff3651d15%22&rows=1&wt=json

Trivy then silently does not report any application vulnerabilities. I only found this problem when looking at the debug logs.

Is there a way to avoid the rate limit? Can I slow down the scan? Does anybody know what the search.maven.org rate limits are?
@gysel gysel added the triage/support Indicates an issue that is a support question. label Aug 10, 2021
@masahiro331
Copy link
Contributor

masahiro331 commented Aug 13, 2021
edited
Loading

Is it this document?
https://central.sonatype.org/faq/403/

Can I slow down the scan?

Currently trivy hasn't slow scan option.

Other case, Sonatype seems to have a whitelist of build servers.
travis-ci/travis-ci#10053 (comment)

@vara-prasad
Copy link

We are using the latest version of v0.19.2 and seeing the below error

Analysis error: jar/war/ear parse error: failed to search by SHA1: status 403 Forbidden
from http://search.maven.org/solrsearch/select?q=1%3A%22a080d66963eaa0e3a4cabcc90a7798156b047fee%22&rows=1&wt=json

Any suggested workaround or option to use maven mirror to avoid above error ?

@dmivankov dmivankov mentioned this issue Sep 14, 2021
Closed
@github-actions
Copy link

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Oct 30, 2021
@AkselAllas
Copy link

I have the same problem.

failed to search by SHA1: status 403 Forbidden
from http://search.maven.org/solrsearch/

Any suggested workaround or option to use maven mirror to avoid above error ?

@knqyf263 knqyf263 mentioned this issue Dec 24, 2021
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. triage/support Indicates an issue that is a support question.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(scan): support offline option aquasecurity/trivy
4 participants
@gysel @vara-prasad @masahiro331 @AkselAllas