Failure to resolve local maven packages

[Sytten]

We updated from version 2.3.3 to 2.3.5 and we started to get failures because the scanner cannot resolve the local package anymore.

The setup is fairly standard for Maven

-> pom.xml 
-> common-lib
 |-> pom.xml
-> api
|-> pom.xml

The root contains:

<project>
    <modules>
        <module>common-lib</module>
        <module>api</module>
      </modules>
</project>

And the api contains:

<project>
  <dependencies>
    <dependency>
      <groupId>my.business</groupId>
      <artifactId>common-lib</artifactId>
      <version>1.0.0</version>
    </dependency>
  </dependencies>
</project>

We now get:

Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.
          Starting filesystem walk for root: /
          Scanned /home/runner/work/my-business/api/pom.xml file and found 23 packages
          End status: 0 dirs visited, 1 inodes visited, 1 Extract calls, 505.17µs elapsed, 505.236µs wall time
          Error during extraction: (extracting as transitivedependency/pomxml) failed resolving {Maven:my.business:api[Concrete:1.23.0] {}}: version Maven:my.business:common-lib[Concrete:1.0.0]: not found
          Filtered 9 local/unscannable package/s from the scan.

[almarzn]

How did you make it work in previous dependencies? I tried version 2.3.3, but still got not found on my local packages (it went much further than 2.3.5 though with every dependency pon being downloaded until it reached local one).

[Sytten]

Weird in our pipeline it does work with 2.3.3. I dont know enough of Java to pin point exactly why.