Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Error running depndency-check with Maven/Jenkins

See original GitHub issue

Hi! I am running into an issue with maven-dependency-check plugin. The issue sums up to allowing XML/XSD parsing through Maven via Jenkins. How should I set the accessExternalSchema property? Thx

Logs

...
16:49:31 [INFO] Created CPE Index (4 seconds)
16:49:31 [WARNING] Unable to parse suppression xml file 'dependency-check-suppression.xml'
16:49:31 [WARNING] org.owasp.dependencycheck.xml.suppression.SuppressionParseException: org.xml.sax.SAXException: Line=2, Column=281: schema_reference: Failed to read schema document 'dependency-suppression.1.2.xsd', because 'file' access is not allowed due to restriction set by the accessExternalSchema property. 
16:49:31 [ERROR] Exception occurred initializing CPE Analyzer.
16:49:31 [INFO] Finished CPE Analyzer (4 seconds)
16:49:31 [INFO] Finished False Positive Analyzer (0 seconds)
16:49:31 [INFO] Finished NVD CVE Analyzer (0 seconds)
16:49:31 [INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
16:49:32 [WARNING] Unable to parse suppression xml file 'dependency-check-suppression.xml'
16:49:32 [WARNING] org.owasp.dependencycheck.xml.suppression.SuppressionParseException: org.xml.sax.SAXException: Line=2, Column=281: schema_reference: Failed to read schema document 'dependency-suppression.1.2.xsd', because 'file' access is not allowed due to restriction set by the accessExternalSchema property. 
16:49:32 [ERROR] Exception occurred initializing Vulnerability Suppression Analyzer.
16:49:32 [INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
16:49:32 [INFO] Finished Dependency Bundling Analyzer (0 seconds)
16:49:32 [INFO] Analysis Complete (5 seconds)
...

POM.xml

The plugin version is 5.1.0. A test with previous version 3.0.2 also failed in a similar manner.

<build>
  <pluginManagement>
    <plugins>
      ...
      <plugin>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-maven</artifactId>
        <version>${dependency.check.plugin.version}</version>
      </plugin>
     ....
    </plugins>
  </pluginManagement>
</build>
....
<profile>
  <id>owasp</id>
  <build>
    <plugins>
      <plugin>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-maven</artifactId>
        <executions>
          <execution>
            <goals>
              <goal>check</goal>
            </goals>
            <configuration>
              <outputDirectory>${project.build.directory}/owasp</outputDirectory>
              <name>dependency-check-report</name>
              <format>XML</format>
              <accessExternalSchema>all</accessExternalSchema>
              <showSummary>false</showSummary>
              <skipProvidedScope>true</skipProvidedScope>
              <rubygemsAnalyzerEnabled>false</rubygemsAnalyzerEnabled>
              <bundleAuditAnalyzerEnabled>false</bundleAuditAnalyzerEnabled>
              <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
              <nspAnalyzerEnabled>false</nspAnalyzerEnabled>
              <suppressionFiles>dependency-check-suppression.xml</suppressionFiles>
            </configuration>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>
</profile>

Issue Analytics

State:
Created 4 years ago
Comments:7 (4 by maintainers)

Top GitHub Comments

1reaction

mprinscommented, Jul 16, 2019

I’ve seen this in fully qualified schema/namespace; default for sax parsers is disallow downloading ( (==external to the suppression file) schema files,

you may be able to configure this using -Djavax.xml.accessExternalSchema=all on your commandline

0reactions

tiguchicommented, Jul 20, 2019

Thanks for your help! I can confirm that your suggestion works for me.

I’m not sure where those extra schema location attributes are coming from (maybe IntelliJ IDEA code completion when I tried to format and edit the file) but they seem to be causing the issue. Removing xmlns:xsi, xsi:schemaLocation and updating the schema version to 1.3 sort out the problem

Interesting - I might suggest updating your suppression file to the latest schema (1.3). Using a definition like this I have run several tests and have not run into any issues. <?xml version="1.0" encoding="UTF-8"?> <suppressions xmlns=" https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd "> </suppressions> … On Fri, Jul 19, 2019 at 1:01 PM Thomas Iguchi @.**> wrote: I started having the same problem on my Jenkins installation, after I upgraded the Gradle (not Maven) dependency checker plugin to the currently latest version. Here’s the error log: Unable to parse suppression xml file ‘owasp-suppression.xml’ org.owasp.dependencycheck.xml.suppression.SuppressionParseException: org.xml.sax.SAXException: Line=5, Column=80: schema_reference: Failed to read schema document ‘dependency-suppression.1.1.xsd’, because ‘https’ access is not allowed due to restriction set by the accessExternalSchema property. Exception occurred initializing CPE Analyzer. Unable to parse suppression xml file ‘owasp-suppression.xml’ org.owasp.dependencycheck.xml.suppression.SuppressionParseException: org.xml.sax.SAXException: Line=5, Column=80: schema_reference: Failed to read schema document ‘dependency-suppression.1.1.xsd’, because ‘https’ access is not allowed due to restriction set by the accessExternalSchema property. Exception occurred initializing Vulnerability Suppression Analyzer Here’s my owasp-suppression.xml file: <?xml version="1.0" encoding="UTF-8"?> <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsdhttps://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd "> <suppress> <notes><![CDATA[ file name: postgresql-42.2.5.jar ]]></notes> <gav regex="true">^org.postgresql:postgresql:.$</gav> <cve>CVE-2016-7048</cve> </suppress> </suppressions> mprins’ workaround <#2073 (comment)> fixes the problem and I can successfully run the dependency check as follows: ./gradlew -Djavax.xml.accessExternalSchema=all dependencyCheckAnalyze — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#2073?email_source=notifications&email_token=AAGSVQTDQUCG3GJGYSCEXE3QAHXPLA5CNFSM4IDWPVK2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2MGBPQ#issuecomment-513302718>, or mute the thread https://github.com/notifications/unsubscribe-auth/AAGSVQRXQBJEEUHI3EWYARDQAHXPLANCNFSM4IDWPVKQ .

Top Results From Across the Web

[JENKINS-59869] OWASP Dependency-Check Plugin v5.2.2 ...

When we run the pipeline with the script mentioned above, we get the following error. [DependencyCheck] 'java' is not recognized as an internal...

Jenkinsfile pipeline with DependenceCheck fail with RetireJS ...

[ERROR] Re-run Maven using the -X switch to enable full debug logging. Jenkins Pipeline stage('dependencyCheck') { steps { parallel( ...

dependency-check – Tasks

Runs dependency -check against a multi-project build and generates a report. dependencyCheckUpdate, Updates the local cache of the NVD data from NIST.

OWASP Dependency-Check

Dependency -Check is a Software Composition Analysis (SCA) tool suite that identifies project dependencies and checks if there are any known, ...

Jenkins Pipeline: SonarQube and the OWASP Dependency ...

Jenkins Pipeline: SonarQube and OWASP Dependency-Check. An easy setup to check for vulnerabilities in dependencies during your build ...