Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
OSS Index Analyzer uses the wrong server ID
See original GitHub issueDescribe the bug A clear and concise description of what the bug is.
There seems to be a bug in the OSS Index Analyzer in the Maven plugin. When using a CVE cache with configured cveServerId it seems that the OSS Index Analyzer uses this server ID for calling the OSS Index service. The OSS Index Analyzer then fails. Worse: it seems that the OSS Analyzer sends the username and password of the CVE Analyzer to the OSS Indexing Service.
Version of dependency-check used The problem occurs using version 6.0.2 of the maven plugin.
Log file When reporting errors, 99% of the time log file output is required. Please post the log file as a gist and provide a link in the new issue.
The log file shows internals, please see the extract of the log below.
To Reproduce Steps to reproduce the behavior:
- Configure the maven plugin like:
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${owasp-dependency-check-plugin.version}</version>
<configuration>
<cveServerId>myserver</cveServerId>
<cveUrlModified>https://myserver/my-cache/nvdcve-1.1-modified.json.gz</cveUrlModified>
<cveUrlBase>https://myserver/my-cache/nvdcve-1.1-%d.json.gz</cveUrlBase>
<failBuildOnCVSS>7</failBuildOnCVSS>
<skipProvidedScope>true</skipProvidedScope>
<connectionTimeout>60000</connectionTimeout>
<suppressionFiles>
<file>${basedir}/.dependency-skip.xml</file>
</suppressionFiles>
<outputDirectory>${basedir}/target/site</outputDirectory>
<dataDirectory>${basedir}/target/dependency-check</dataDirectory>
</configuration>
</plugin>
Configure myserver with correct username and password in your Maven settings.xml.
- Run the dependency-check:
mvn clean dependency-check:check
The outcome is that, the CVE files are correctly downloaded from the caching server with the correct credentials. But the OSS Index Analyzer then finally fails, it seems to be using the cveServerId credentials:
[DEBUG] Adding user/pw from settings.xml as basic authorization
[DEBUG] Connecting to: https://ossindex.sonatype.org/api/v3/component-report
[DEBUG] Begin Analysis of '/Users/kean/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar' (Sonatype OSS Index Analyzer)
[WARNING] An error occurred while analyzing '/Users/kean/.m2/repository/org/springframework/boot/spring-boot-starter-web/2.3.3.RELEASE/spring-boot-starter-web-2.3.3.RELEASE.jar' (Sonatype OSS Index Analyzer).
[DEBUG] org.owasp.dependencycheck.analyzer.exception.AnalysisException: Invalid credentails provided for OSS Index
[at org.owasp.depen36dencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:142)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
at java.util.concurrent.FutureTsk.run1;36mDEBUG] Begin Analysis of '/Users/kean/.m2/repository /org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar' (Sonatype OSS Index Analyzer)
(FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:834)
Caused by: org.sonatype.ossindex.service.client.transport.Transport$TransportException[: Unexpected response; status: 401
at org.sonatype.ossindex.service.client.transport.HttpUrlConnectionTransport.post (HttpUrlConnectionTransport.java:106)
at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.doRequestComponentReports (OssindexClientImpl.java:204)
at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.requestComponentReports (OssindexClientImpl.java:170)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.requestReports (OssIndexAnalyzer.java:198)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:138)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run (FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:834)
When removing the cve settings on the plugin in pom.xml, the plugin downloads from the NIST DB and the OSS Index Analyzer succeeds without using basic-auth.
Furthermore, it is not possible to set the ossIndexServerId in the pom.xml, the setting seems to be ignored.
Expected behavior A clear and concise description of what you expected to happen.
Do not use cveServerId for OSS Index Analysis. User ossIndexServerId for OSS Index Analysis.
Additional context Add any other context about the problem here.
Issue Analytics
- State:
- Created 3 years ago
- Comments:6 (1 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
A fix will be included in 6.0.3.
Update:
Disabling the OSS Index Analyzer on the command line, works, the OSS Index Analyzer is not running:
The CVE configuration is as given above.