Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

owasp maven plugin 5.0.0-M1 uses user environment to determine encoding for dependency parsing

See original GitHub issue
[INFO] --- dependency-check-maven:5.0.0-M1:check (default) @ tests2html ---
[INFO] Central analyzer disabled
[INFO] Checking for updates
[INFO] Skipping NVD check since last check was within 4 hours.
[INFO] Skipping RetireJS update since last update was within 24 hours.
[INFO] Check for updates complete (9 ms)
[INFO] Analysis Started
[WARNING] An unexpected error occurred during analysis of '/home/mark/.m2/repository/com/javaslang/javaslang/2.0.0-beta/javaslang-2.0.0-beta.jar' (Archive Analyzer): Malformed input or input contains unmappable characters: javaslang/?$Type$1ReflectionUtil.class
[ERROR]
java.nio.file.InvalidPathException: Malformed input or input contains unmappable characters: javaslang/?$Type$1ReflectionUtil.class
    at sun.nio.fs.UnixPath.encode (UnixPath.java:145)
    at sun.nio.fs.UnixPath.<init> (UnixPath.java:69)
    at sun.nio.fs.UnixFileSystem.getPath (UnixFileSystem.java:280)
    at java.nio.file.Path.resolve (Path.java:515)
    at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.extractArchive (ArchiveAnalyzer.java:536)
    at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.extractFiles (ArchiveAnalyzer.java:409)
    at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.extractAndAnalyze (ArchiveAnalyzer.java:251)
    at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.analyzeDependency (ArchiveAnalyzer.java:233)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:136)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run (FutureTask.java:264)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
    at java.lang.Thread.run (Thread.java:834)

That occurs only when LC_ALL=C, not when LC_ALL=de_DE.UTF-8.

Issue Analytics

  • State:open
  • Created 5 years ago
  • Reactions:2
  • Comments:13 (1 by maintainers)

github_iconTop GitHub Comments

3reactions
patrickherreracommented, Mar 16, 2020

Just adding ENV LC_ALL C.UTF-8 to my Dockerfile was sufficient to fix this for me (taken from https://stackoverflow.com/a/41648500/647581). My Docker image is based on Debian ‘buster’

2reactions
Moes81commented, Sep 20, 2019

Any update on this one? We’re running in the same issue: An unexpected error occurred during analysis of '/root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-compiler-embeddable/1.3.50/1251c1768e5769b06c2487d6f6cf8acf6efb8960/kotlin-compiler-embeddable-1.3.50.jar' (Archive Analyzer): Malformed input or input contains unmappable characters: javaslang/?.class

In our case, we ran the dependencyCheck inside a docker container. Upgrading to a container with the latest JDK solved the problem. Some funny guy thought it would be a good idea to name the class “Lambda.class” actually “λ.class”. Thank you for that great idea! 😄

Read more comments on GitHub >

github_iconTop Results From Across the Web

dependency-check-maven – Usage
The dependency-check plugin is, by default, tied to the verify or site phase depending on if it is configured as a build or...
Read more >
Using OWASP Dependency Check with Maven
The dependency checker detects the use of known vulnerabilities by looking for matches of the dependencies in the Maven project with the software...
Read more >
The Grails Framework 5.2.5
GORM - An easy to use Object Mapping library with support for SQL, MongoDB, Neo4j and more. View technologies for rendering HTML as...
Read more >
Search Results - CVE
In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific...
Read more >
Spring Security Reference
This will ensure that all the transitive dependencies of Spring Security use the Spring 5.0.8.RELEASE modules. [Note], Note. This approach uses Maven's "bill...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

False Positive due to missing "AND/OR" capabilities defined in the NVD data feed

Next page

Several false positives with version 4.0.1