Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Communication problem- api.nodesecurity.io, jeremylong.github.io

See original GitHub issue

Hello, from some time we are getting problem when performing dependency checks.

jobs were working fine, we didnt changed anything- as well as in dependencies, as on infrastructure or on proxy. Env. server behind proxy, not whitelisted ips are restricted, plugin version- lastest, 3.0.2 at the moment (we have nvd.nist.gov whitelisted)

Jobs fails on following

09:42:39 [DependencyCheck] Exception Caught: org.owasp.dependencycheck.analyzer.exception.AnalysisException
09:42:39 [DependencyCheck] Cause: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 403 Forbidden"
09:42:39 [DependencyCheck] Message: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 403 Forbidden"
09:42:39 [DependencyCheck] org.owasp.dependencycheck.analyzer.exception.AnalysisException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 403 Forbidden"
09:42:39 [DependencyCheck] 	at org.owasp.dependencycheck.analyzer.NspAnalyzer.analyzeDependency(NspAnalyzer.java:272)
09:42:39 [DependencyCheck] 	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:137)
09:42:39 [DependencyCheck] 	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
09:42:39 [DependencyCheck] 	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
09:42:39 [DependencyCheck] 	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
09:42:39 [DependencyCheck] 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
09:42:39 [DependencyCheck] 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
09:42:39 [DependencyCheck] 	at java.lang.Thread.run(Thread.java:745)
09:42:39 [DependencyCheck] Caused by: java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 403 Forbidden"
09:42:39 [DependencyCheck] 	at sun.net.www.protocol.http.HttpURLConnection.doTunneling(HttpURLConnection.java:2084)
09:42:39 [DependencyCheck] 	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:183)
09:42:39 [DependencyCheck] 	at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
09:42:39 [DependencyCheck] 	at org.owasp.dependencycheck.data.nsp.NspSearch.submitPackage(NspSearch.java:114)
09:42:39 [DependencyCheck] 	at org.owasp.dependencycheck.analyzer.NspAnalyzer.analyzeDependency(NspAnalyzer.java:174)
09:42:39 [DependencyCheck] 	... 7 more
09:42:39 [DependencyCheck] 
09:42:39 Build step 'Invoke OWASP Dependency-Check analysis' changed build result to FAILURE

After some searching, we got the info plugin is trying to communicate to other sites- on HTTPS, 443, with jeremylong.github.io and api.nodesecurity.io (As I mentioned above, what is not whitelisted is restricted, we didnt have these sites whitelisted, because there wasnt any reason in the past) Communication is bellow

Dec 19 08:32:40 <our proxy ip> 2017-12-19 08:32:39 12675 <OUR IP> - - - - OBSERVED "Government/Legal;Technology/Internet" - 200 TCP_TUNNELED CONNECT - tcp nvd.nist.gov 443 / - - "Java/1.8.0_60" 165.72.197.34 2370590 977 -
Dec 19 08:34:07 <our proxy ip> 2017-12-19 08:34:06 22 <OUR IP> - - - policy_denied DENIED "Technology/Internet" - 403 TCP_DENIED CONNECT - tcp jeremylong.github.io 443 / - - "Java/1.8.0_60" 165.72.197.33 184 192 -
Dec 19 08:34:10 <our proxy ip> 2017-12-19 08:34:10 72 <OUR IP> - - - policy_denied DENIED "Technology/Internet" - 403 TCP_DENIED CONNECT - tcp api.nodesecurity.io 443 / - - "Java/1.8.0_60" 165.72.197.33 184 190 -
Dec 19 08:41:19 <our proxy ip> 2017-12-19 08:41:17 614 <OUR IP> - - - - OBSERVED "Technology/Internet;Office/Business Applications" - 200 TCP_TUNNELED CONNECT - tcp github.com 443 / - - "Java/1.8.0_60" 165.72.197.33 7351 913 -
Dec 19 08:41:29 <our proxy ip> 2017-12-19 08:41:28 10473 <OUR IP> - - - - OBSERVED "Software Downloads;Content Servers" - 200 TCP_TUNNELED CONNECT - tcp github-production-release-asset-2e65be.s3.amazonaws.com 443 / - - "Java/1.8.0_60" <another IP> 3578 1550 -
Dec 19 08:42:38 <our proxy ip> 2017-12-19 08:42:38 4 <OUR IP> - - - policy_denied DENIED "Technology/Internet" - 403 TCP_DENIED CONNECT - tcp jeremylong.github.io 443 / - - "Java/1.8.0_60" 165.72.197.34 186 192 -
Dec 19 08:42:40 <our proxy ip> 2017-12-19 08:42:39 65 <OUR IP> - - - policy_denied DENIED "Technology/Internet" - 403 TCP_DENIED CONNECT - tcp api.nodesecurity.io 443 / - - "Java/1.8.0_60" 165.72.197.33 184 190 -

Can you, please, provide us some info, if it is necessary to communicate with these sites, or not? Can you, please, provide us some info about the communication- scheme- in case of dependency checking? It looks like plugin is trying to communicate with these sites first, before nvd database, and in our case it of course fails.

We are confused because it was working before, but not anymore- did changed anything, or?

Thanks for any info. Pavel Novak

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:7 (1 by maintainers)

github_iconTop GitHub Comments

1reaction
jeremylongcommented, Dec 21, 2017

The check to jeremylong.github.io is just a simple version check - it pulls down jeremylong.github.io/DependencyCheck/current.txt and compares the version you are running to the latest published version - if you are behind it prints a warning message indicating you should upgrade. This can be disabled by setting a system property (updater.versioncheck.enabled) to false (i.e. in mvn add -Dupdater.versioncheck.enabled=false).

The usage of NSP was added with the updates to support node.js. The root package.json of a node app is parsed and some of the info is sent off to NSP for analysis. The NSP analyzer can be disabled - see the documentation site for more details.

0reactions
lock[bot]commented, Sep 27, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Issues - GitHub
[2.1.1/Maven plugin] Build failure due to connection error - Unable to connect to 'https://api.nodesecurity.io/check' #882.
Read more >
Utilize NVD API instead of data feed · Issue #4732 - GitHub
I was intending to mirror it daily into an NFS volume via https://jeremylong.github.io/DependencyCheck/data/cachenvd.html but then I found ...
Read more >
Please consider using NVD for npm packages #1249 - GitHub
it appears NSP was acquired by NPM, so we're getting a [ERROR] api.nodesecurity.io now in the logs. Any ideas moving forward on what...
Read more >
Indicate URL in non-200 status error message · Issue #1182 ...
Maybe something as simple as: throw new DownloadFailedException(format("%s request returned a non-200 status code for URL: " + url, httpMethod));.
Read more >
TLS Connection Reset · Issue #3615 - GitHub
Issue - TLS Connection Reset OWASP dependency check command line tool ... “http://jeremylong.github.io/DependencyCheck/data/tlsfailure.html.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Maven plugin: improve documentation by mentioning how to run it

Next page

Quitting dependency-check during an update leaves stale lock file