dependency-check-gradle
dependency-check-gradle copied to clipboard
dependency-check
Task fails when NVD not available and failOnError = false
we have set in our build.gradle:
dependencyCheck { failOnError = false }
and are using the newest version:
classpath("org.owasp:dependency-check-gradle:5.2.2")
yet our task fails:
13:27:52 Verifying dependencies for project association
13:28:01 Checking for updates and analyzing dependencies for vulnerabilities
13:28:02 Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta
13:28:02 org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta
13:28:02 at org.owasp.dependencycheck.data.update.NvdCveUpdater.getMetaFile(NvdCveUpdater.java:347)
13:28:02 at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded(NvdCveUpdater.java:385)
13:28:02 at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:122)
13:28:02 at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:916)
13:28:02 at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:718)
13:28:02 at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:653)
13:28:02 at org.owasp.dependencycheck.Engine$analyzeDependencies$0.call(Unknown Source)
13:28:02 at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:47)
13:28:02 at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116)
13:28:02 at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:120)
13:28:02 at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.analyze(AbstractAnalyze.groovy:89)
13:28:02 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
13:28:02 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
13:28:02 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
13:28:02 at java.lang.reflect.Method.invoke(Method.java:498)
13:28:02 at org.gradle.internal.reflect.JavaMethod.invoke(JavaMethod.java:73)
13:28:02 at org.gradle.api.internal.project.taskfactory.StandardTaskAction.doExecute(StandardTaskAction.java:46)
13:28:02 at org.gradle.api.internal.project.taskfactory.StandardTaskAction.execute(StandardTaskAction.java:39)
13:28:02 at org.gradle.api.internal.project.taskfactory.StandardTaskAction.execute(StandardTaskAction.java:26)
13:28:02 at org.gradle.api.internal.AbstractTask$TaskActionWrapper.execute(AbstractTask.java:801)
13:28:02 at org.gradle.api.internal.AbstractTask$TaskActionWrapper.execute(AbstractTask.java:768)
13:28:02 at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter$1.run(ExecuteActionsTaskExecuter.java:131)
13:28:02 at org.gradle.internal.operations.DefaultBuildOperationExecutor$RunnableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:300)
13:28:02 at org.gradle.internal.operations.DefaultBuildOperationExecutor$RunnableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:292)
13:28:02 at org.gradle.internal.operations.DefaultBuildOperationExecutor.execute(DefaultBuildOperationExecutor.java:174)
13:28:02 at org.gradle.internal.operations.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:90)
13:28:02 at org.gradle.internal.operations.DelegatingBuildOperationExecutor.run(DelegatingBuildOperationExecutor.java:31)
13:28:02 at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeAction(ExecuteActionsTaskExecuter.java:120)
13:28:02 at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeActions(ExecuteActionsTaskExecuter.java:99)
13:28:02 at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.execute(ExecuteActionsTaskExecuter.java:77)
13:28:02 at org.gradle.api.internal.tasks.execution.OutputDirectoryCreatingTaskExecuter.execute(OutputDirectoryCreatingTaskExecuter.java:51)
13:28:02 at org.gradle.api.internal.tasks.execution.SkipCachedTaskExecuter.execute(SkipCachedTaskExecuter.java:105)
13:28:02 at org.gradle.api.internal.tasks.execution.SkipUpToDateTaskExecuter.execute(SkipUpToDateTaskExecuter.java:59)
13:28:02 at org.gradle.api.internal.tasks.execution.ResolveTaskOutputCachingStateExecuter.execute(ResolveTaskOutputCachingStateExecuter.java:54)
13:28:02 at org.gradle.api.internal.tasks.execution.ResolveBuildCacheKeyExecuter.execute(ResolveBuildCacheKeyExecuter.java:79)
13:28:02 at org.gradle.api.internal.tasks.execution.ValidatingTaskExecuter.execute(ValidatingTaskExecuter.java:59)
13:28:02 at org.gradle.api.internal.tasks.execution.SkipEmptySourceFilesTaskExecuter.execute(SkipEmptySourceFilesTaskExecuter.java:101)
13:28:02 at org.gradle.api.internal.tasks.execution.FinalizeInputFilePropertiesTaskExecuter.execute(FinalizeInputFilePropertiesTaskExecuter.java:44)
13:28:02 at org.gradle.api.internal.tasks.execution.CleanupStaleOutputsExecuter.execute(CleanupStaleOutputsExecuter.java:91)
13:28:02 at org.gradle.api.internal.tasks.execution.ResolveTaskArtifactStateTaskExecuter.execute(ResolveTaskArtifactStateTaskExecuter.java:62)
13:28:02 at org.gradle.api.internal.tasks.execution.SkipTaskWithNoActionsExecuter.execute(SkipTaskWithNoActionsExecuter.java:59)
13:28:02 at org.gradle.api.internal.tasks.execution.SkipOnlyIfTaskExecuter.execute(SkipOnlyIfTaskExecuter.java:54)
13:28:02 at org.gradle.api.internal.tasks.execution.ExecuteAtMostOnceTaskExecuter.execute(ExecuteAtMostOnceTaskExecuter.java:43)
13:28:02 at org.gradle.api.internal.tasks.execution.CatchExceptionTaskExecuter.execute(CatchExceptionTaskExecuter.java:34)
13:28:02 at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.run(EventFiringTaskExecuter.java:51)
13:28:02 at org.gradle.internal.operations.DefaultBuildOperationExecutor$RunnableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:300)
13:28:02 at org.gradle.internal.operations.DefaultBuildOperationExecutor$RunnableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:292)
13:28:02 at org.gradle.internal.operations.DefaultBuildOperationExecutor.execute(DefaultBuildOperationExecutor.java:174)
13:28:02 at org.gradle.internal.operations.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:90)
13:28:02 at org.gradle.internal.operations.DelegatingBuildOperationExecutor.run(DelegatingBuildOperationExecutor.java:31)
13:28:02 at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter.execute(EventFiringTaskExecuter.java:46)
13:28:02 at org.gradle.execution.taskgraph.LocalTaskInfoExecutor.execute(LocalTaskInfoExecutor.java:42)
13:28:02 at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareWorkItemExecutor.execute(DefaultTaskExecutionGraph.java:277)
13:28:02 at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareWorkItemExecutor.execute(DefaultTaskExecutionGraph.java:262)
13:28:02 at org.gradle.execution.taskgraph.DefaultTaskPlanExecutor$ExecutorWorker$1.execute(DefaultTaskPlanExecutor.java:135)
13:28:02 at org.gradle.execution.taskgraph.DefaultTaskPlanExecutor$ExecutorWorker$1.execute(DefaultTaskPlanExecutor.java:130)
13:28:02 at org.gradle.execution.taskgraph.DefaultTaskPlanExecutor$ExecutorWorker.execute(DefaultTaskPlanExecutor.java:200)
13:28:02 at org.gradle.execution.taskgraph.DefaultTaskPlanExecutor$ExecutorWorker.executeWithWork(DefaultTaskPlanExecutor.java:191)
13:28:02 at org.gradle.execution.taskgraph.DefaultTaskPlanExecutor$ExecutorWorker.run(DefaultTaskPlanExecutor.java:130)
13:28:02 at org.gradle.internal.concurrent.ExecutorPolicy$CatchAndRecordFailures.onExecute(ExecutorPolicy.java:63)
13:28:02 at org.gradle.internal.concurrent.ManagedExecutorImpl$1.run(ManagedExecutorImpl.java:46)
13:28:02 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
13:28:02 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
13:28:02 at org.gradle.internal.concurrent.ThreadFactoryImpl$ManagedThreadRunnable.run(ThreadFactoryImpl.java:55)
13:28:02 at java.lang.Thread.run(Thread.java:748)
13:28:02 Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Download failed, unable to retrieve 'https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta'
13:28:02 at org.owasp.dependencycheck.utils.Downloader.fetchContent(Downloader.java:115)
13:28:02 at org.owasp.dependencycheck.data.update.NvdCveUpdater.getMetaFile(NvdCveUpdater.java:340)
13:28:02 ... 64 more
13:28:02 Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Error downloading file https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta; unable to connect.
13:28:02 at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:238)
13:28:02 at org.owasp.dependencycheck.utils.HttpResourceConnection.fetch(HttpResourceConnection.java:138)
13:28:02 at org.owasp.dependencycheck.utils.Downloader.fetchContent(Downloader.java:110)
13:28:02 ... 65 more
13:28:02 Caused by: java.net.ConnectException: Connection refused (Connection refused)
13:28:02 at java.net.PlainSocketImpl.socketConnect(Native Method)
13:28:02 at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
13:28:02 at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
13:28:02 at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
13:28:02 at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
13:28:02 at java.net.Socket.connect(Socket.java:589)
13:28:02 at sun.net.NetworkClient.doConnect(NetworkClient.java:175)
13:28:02 at sun.net.www.http.HttpClient.openServer(HttpClient.java:463)
13:28:02 at sun.net.www.http.HttpClient.openServer(HttpClient.java:558)
13:28:02 at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
13:28:02 at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
13:28:02 at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
13:28:02 at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1162)
13:28:02 at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1056)
13:28:02 at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
13:28:02 at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:167)
13:28:02 at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:178)
13:28:02 ... 67 more
13:28:02 Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
13:28:02 Unable to continue dependency-check analysis.
13:28:02
13:28:02 > Task :dependencyCheckAnalyze FAILED```
Fail on error is intended to control the failure mode for non-fatal errors. If the NVD is not available for download ODC really can't perform any analysis if we don't have at least an old database around. No database and no NVD available to download - we can't perform ANY analysis really.
Is there a way to configure to skip the check if the NVD is not available? We have the check in 35+ applications and really like the plugin, yet we can't allow the plugin to stop our production deployment just because NVD is offline/unavailable today. The database should be cached nevertheless in this case, because we persist the gradle cache. So i'm wondering why it doesnt pick it up here and continues?
In this case - my guess is that the cache may not be working correctly as the error thrown only occurs when no data exists in the database (see Engine.java#L656-L660). For most organizations I highly recommend running the nist-data-mirror.
We faced this issue as well. I was also under the impression that failOnError should control all kinds of errors from the plugin. If failOnError is not the right configuration property, then how do you feel about introducing another property? I'm happy to submit a PR if it helps.
For most organizations I highly recommend running the nist-data-mirror.
We want to stay build tool-agnostic and would prefer to not preload another docker container in advance. I was also thinking about the solution @hosamaly proposed, if thats an option. Otherwise we would need to decouple our dependencyCheck task from our main Buildpipeline and run it non-blocking in parallel afterwards. I'm happy to help for introducing another property.
@jeremylong I'm getting the network/certificate error with the autoUpdate = true and scan results for autoUpdate = false - so there seems to be an old database around (both with failOnError = false).
@skjolber see https://github.com/jeremylong/DependencyCheck/issues/2222. Looks like a TLS error due to a change in certs at the NVD...
https://www.ssllabs.com/ssltest/analyze.html?d=nvd.nist.gov seems to report: This server's certificate chain is incomplete. Grade capped to B.
@skjolber try
export GRADLE_OPTS="-Dcom.sun.security.enableAIAcaIssuers=true"
@jeremylong any news how we can improve status quo? Is the aforementioned extra flag from @hosamaly a possibility?
Now https://www.ssllabs.com/ssltest/analyze.html?d=nvd.nist.gov seems to report: A+ so they (nvd.nist.gov) have fixed their certificate (chain complete). At least I got dependency check working whilst certificate chain issue when using '-Dcom.sun.security.enableAIAcaIssuers=true'
Fail on error is intended to control the failure mode for non-fatal errors.
Why? For virtually every other Gradle plugin I've ever used, failOnError = false means "don't fail the build if this plugin fails to execute, for any reason at all".
If the NVD is not available for download ODC really can't perform any analysis if we don't have at least an old database around. No database and no NVD available to download - we can't perform ANY analysis really.
Right, but I still don't want that condition to cause my build to fail. If the Dependency Check scan doesn't run, it's too bad, but I'd still like the rest of my build to complete so that I have something I can work with.
