DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

Unable to continue dependency-check Unable to obtain an exclusive lock on the H2 database to perform updates

Open eliassal opened this issue 1 year ago • 6 comments
trafficstars

Describe the bug On a Ubuntu VM, I have setup dependency-check according to instructions at https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html as myuser. This Ubuntu VM is a jenkins agent launched by ssh root session. When I run on command line logged in as myuser the following dependency-check --project "cicd-pipeline-train-schedule-gradle" --scan ./ --format XML --out dependency-check-report.xml it works fine and report is generated. However, when I run the same command in a jenkins pipeline I get

  • /home/linuxbrew/.linuxbrew/bin/dependency-check --project DevSecOps-DotNet-CI-CD-Ubunt --scan ./ --format XML --out dependency-check-report.xml [WARN] Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities. [ERROR] Unable to continue dependency-check analysis. [ERROR] One or more fatal errors occurred [ERROR] Unable to obtain an exclusive lock on the H2 database to perform updates [ERROR] No documents exist

sonar-dependency-check-4.0.1 The problem occurs using version in jenkins pipline which calls the task using
sh '/home/linuxbrew/.linuxbrew/bin/dependency-check --project "cicd-pipeline-train-schedule-gradle" --scan ./ --format XML --out dependency-check-report.xml'

Log file

[Pipeline] { (OWASP Dependency Check) [Pipeline] sh

  • /home/linuxbrew/.linuxbrew/bin/dependency-check --project DevSecOps-DotNet-CI-CD-Ubunt --scan ./ --format XML --out dependency-check-report.xml [WARN] Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities. [ERROR] Unable to continue dependency-check analysis. [ERROR] One or more fatal errors occurred [ERROR] Unable to obtain an exclusive lock on the H2 database to perform updates [ERROR] No documents exist [Pipeline] } [Pipeline] // stage [Pipeline] } [Pipeline] // node [Pipeline] End of Pipeline ERROR: script returned exit code 13 Finished: FAILURE

To Reproduce Steps to reproduce the behavior: 1 Install dependency-check on the ubuntu VM which is a jenkins agent 2. On jenkins machine configure a pipeline 3. add a step using SH on the remote ubuntu agent 4. Trigger pipelinne

Expected behavior A report to be generated in xml

Additional context As indicated, I did the setup while I am logged as myuser. The jenkins master connects and trigger the agent on the ubuntu agent VM as root

eliassal avatar Dec 17 '23 09:12 eliassal

There are likely other errors above what you've posted that explain what went wrong. My guess is that the NVD data was unable to be downloaded. Here are the two links that can help you with your deployment:

  1. https://github.com/jeremylong/DependencyCheck?tab=readme-ov-file#nvd-api-key-highly-recommended
  2. https://jeremylong.github.io/DependencyCheck/data/index.html

I need to re-write/re-rearrange some of this documentation so it is all in one place and very visible. With the second link you likely need to focus only on items 2-4 under the heading "The NVD Database". Note that this is all under internet access required - and with 9.x, while true, doesn't give the true intent of the section I mentioned.

jeremylong avatar Dec 17 '23 10:12 jeremylong

So many thanks for your feedback. OK, I got an NVD key, how do I feed it to the tool? In fact I see that there ais nvd argument for commandline but can this be configured somewhere?

eliassal avatar Dec 17 '23 13:12 eliassal

Jeremy, I did obtain NVD API key and added to the command but it did not help, got the exact same error/failure

/home/linuxbrew/.linuxbrew/bin/dependency-check --project DevSecOps-DotNet-CI-CD-Ubunt --nvdApiKey xxxxxxxxx-8xxx-4fe2-a2b7-xxxxxxxxxxxxxx --scan ./ --format XML --out dependency-check-report.xml

[WARN] Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities. [ERROR] Unable to continue dependency-check analysis. [ERROR] One or more fatal errors occurred [ERROR] Unable to obtain an exclusive lock on the H2 database to perform updates [ERROR] No documents exist

eliassal avatar Dec 17 '23 18:12 eliassal

As I said before "There are likely other errors above what you've posted that explain what went wrong. ". You may need to add --log odc.log to the command executed.

jeremylong avatar Dec 17 '23 18:12 jeremylong

Jeremy, as I said, I was not able to install the tool using brew with sudo or as root so I installed it as myuser. The error lead me to think trhat it was a permission issue on the folder /home/linuxbrew I changed the permissions for others to be "Read & Write" and Hoooooop analysis wenth through as you can notice in the snapshot. However, when I visit ths sonarqube analysis page > More > Dependency-Check I get

No HTML-Report found. Please check property sonar.dependencyCheck.htmlReportPath 2nd snapshot, in spite of the fact that report is generated (3rd snapshot), nor on the sidebar in jenkins build

image

image

image

eliassal avatar Dec 17 '23 19:12 eliassal

I know nothing about the sonar integration. But I'm assuming you need to add --format XML --format HTML

jeremylong avatar Dec 17 '23 19:12 jeremylong