DependencyCheck
DependencyCheck copied to clipboard
jeremylong
Analysis does not continue after update failure
Describe the bug After this is logged:
[WARNING] Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
The intention is that analysis should continue. However, this is logged instead:
[ERROR] Unable to continue dependency-check analysis. [ERROR] Fatal exception(s) analyzing Project
Version of dependency-check used The problem occurs using version 9.0.10 of the maven plugin.
Log file https://gist.github.com/OrangeDog/24ce9447e015184ccf85ac647e17749b
To Reproduce Steps to reproduce the behavior:
- Have a successful initial sync of the data
- Induce NVD updates to fail (these logs were while the service was unavailable)
- Run
dependency-check:check
Expected behavior The update fails, but then analysis continues.
Additional context Retries disabled so it doesn't take 15 hours. However, my logs are also showing this bug: https://github.com/jeremylong/DependencyCheck/issues/6531#issuecomment-2012245631
<configuration>
<assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
<nodeAnalyzerEnabled>false</nodeAnalyzerEnabled>
<failOnError>false</failOnError>
<hintsFile>${project.basedir}/hints.xml</hintsFile>
<nvdApiServerId>nvd</nvdApiServerId>
<nvdMaxRetryCount>0</nvdMaxRetryCount>
<ossIndexServerId>sonatype-ossindex</ossIndexServerId>
<outputDirectory>${project.build.directory}/owasp-reports</outputDirectory>
<suppressionFile>${project.basedir}/suppressions.xml</suppressionFile>
</configuration>
It's always worked this way in my experience - if it can't update the feed or any of the linked sources (OSSINDEX, hosted suppressions, whatever), the plugin errors out, killing the build. The message sequence has been the same in the past, first the warning, then the error.
I thought this was by design. :-) This is not a regression, but it certainly could be considered a bug.
@bmeier-pros it is not by design: https://github.com/jeremylong/DependencyCheck/issues/6515#issuecomment-2012173674
@OrangeDog very interesting. As far back as I can remember, at least to 6.x, this has been the way it's worked for our builds. We do have failOnError set to true, perhaps that is part of it.
Our current configuration looks something like this:
dependencyCheck {
failBuildOnCVSS = 4.0
suppressionFiles = files("**/dependency-check-suppressions.xml")
analyzers {
experimentalEnabled = false
centralEnabled = false // hardcoded to access Maven Central, which is disallowed
assemblyEnabled = false // no .NET assemblies, avoid scanner failure
nuspecEnabled = false // no nuget specs, avoid scanner failure
ossIndex {
enabled = true
}
retirejs {
// Cached Retire JS repository
retireJsUrl = "${cache}/raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json"
}
// Cached known exploited vulnerabilities
knownExploitedURL = "${cache}/www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
}
nvd {
delay = 5000
maxRetryCount = 10
nvdApiKey = System.getenv("NVD_API_KEY")
}
hostedSuppressions {
// Cached hosted suppressions for false positives
url = "${cache}/jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml"
}
scanConfigurations = ['runtimeClasspath', 'compileClasspath', 'annotationProcessor']
}
I'm attempting to update to 9.0.10 from 9.0.9 and getting all sorts of strange behavior.
In my limited spare time - I'm going to have to check the SQL statement used in https://github.com/jeremylong/DependencyCheck/blob/0e183dad9bc1bdabd24f24ba6837d07ff3c42741/core/src/main/java/org/owasp/dependencycheck/Engine.java#L641-L643
