Can't Authenticate Maven to Access Azure Artifacts from ADO Pipeline

Question

I have a azure pipeline that runs in the cloud and in there, I basically want to run a Blackduck scan. To make it easy, the blackduck task runs a maven command to build the dependency tree. In order to do so, it scans all the dependencies in my pom.xml.

I currently have 2 feeds in Azure DevOps. 1 feed that store external libraries and 1 to store internal libraries developed in house. All the dependencies that are external, the maven command is able to retrieve but not the internal one. I keep getting a 401 Unauthorized error.

I have updated my pom.xml to include the credentials to connect to azure artifact as shown here. I have also updated the settings.xml file to include the connection as well. Before the maven command is run, I have added the Maven authenticate task

Yml pipeline:

- task: PowerShell@2
      displayName: "Modify Settings.xml"
      inputs:
        targetType: 'inline'
        script: |
          $xmlPom = [xml]"<server>
                <id>Pack-All</id>
                <username>Bob</username>
                <password>$(ado.pat)</password>
              </server>"
              
          $file = "settings.xml"
          $origin = "$(M2_HOME)\conf"

          $xdoc = new-object System.Xml.XmlDocument

          $fileXml = resolve-path(“$origin\$file”)

          $xdoc.load($fileXml)

          $xdoc.settings.servers.AppendChild($xdoc.ImportNode($xmlPom.server, $true))

          $xdoc = [xml] $xdoc.OuterXml.Replace(" xmlns=`"`"", "")

          $xdoc.Save(“$origin\$file”)
- task: MavenAuthenticate@0
      displayName: 'Maven Authenticate'
      inputs:
        artifactsFeeds: 'Pack-All'
- task: SynopsysDetectTask@2  
      displayName: "Run Black Duck analysis"
      condition: and(succeeded(), eq('${{ parameters.blackduck }}', 'true'))
      continueOnError: true
      inputs:
        Products: 'BD'
        BlackDuckService: 'Black Duck'
        DetectVersion: 'latest'
        DetectArguments: '--detect.project.name=$(Build.Repository.Name)Test --detect.binary.scan.file.path=$(Build.SourcesDirectory)\app.war --detect.maven.build.command=-DmavenFeedAuthenticate=true'

Maven command that the Blackduck task executes:

C:\ProgramData\chocolatey\lib\maven\apache-maven-3.6.3\bin\mvn.cmd -DmavenFeedAuthenticate=true dependency:tree -T1

Error Log:

[ERROR] Failed to execute goal on project dimload-ms-app-agg: Could not resolve dependencies for project ca.test-ms-app-agg:war:0.0.1-SNAPSHOT: Failed to collect dependencies at ca.cn.boot:helpers:jar:0.4.28950: Failed to read artifact descriptor for ca.test.boot:helpers:jar:0.4.28950: Could not transfer artifact ca.test.boot:helpers:pom:0.4.28950 from/to Test-All (https://pkgs.dev.azure.com/Test-Int/_packaging/Pack-All/maven/v1): Authentication failed for https://pkgs.dev.azure.com/Test-Int/_packaging/Pack-All/maven/v1/ca/test/boot/helpers/0.4.28950/helpers-0.4.28950.pom 401 Unauthorized -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionException

Answer 1

From your Yaml Sample, you have added the MavenAuthenticate task. This task will automatically generate a settings.xml for the target feed.

This file exists in the path xxx\.m2\settings.xml

So you don't need to add this file(settings.xml)manually. This can also help you simplify your code.

Authentication failed for https://pkgs.dev.azure.com/.... 401 Unauthorized

The possible cause of this issue is that the build service account does not have sufficient permissions for the feed.

You could try the following steps:

1. Navigate to Artifacts ->Target Feed ->Feed Settings -> Permission.

2. Set the Project Build Service(ProjectName Build Service(OrganizationName)) As Contributor role within the target feed.

Or you could enable the option Allow Project-Scoped Builds.

On the other hand, from the feed URL, it seems to be an Organization-Scope feed.

You could check the Limit job authorization scope to current project for non-release pipelines option is Enabled in Project Settings -> Pipelines.

You could try to disable the option.

Note: To disable this option, you need to disable the option in Organization Settings-> Settings first. Then you could disable the option in Project level.