dependency-check-gradle icon indicating copy to clipboard operation
dependency-check-gradle copied to clipboard

Published 20 hours ago verified publisher icon dependency-check

jsrepository.json empty, fails build

Open clarinetcat opened this issue 1 year ago • 1 comments

Hi,

I am currently having issues with a specific build. The exception trace shows that some files can't be downloaded:

Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.meta org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.meta at org.owasp.dependencycheck.data.update.NvdCveUpdater.doMetaDownload(NvdCveUpdater.java:411) at org.owasp.dependencycheck.data.update.NvdCveUpdater.getMetaFile(NvdCveUpdater.java:356) ... Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Download failed, unable to retrieve 'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.meta'; Error downloading file https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.meta; unable to connect. at org.owasp.dependencycheck.utils.Downloader.fetchContent(Downloader.java:187) at org.owasp.dependencycheck.data.update.NvdCveUpdater.doMetaDownload(NvdCveUpdater.java:382) ... 139 more Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Error downloading file https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.meta; unable to connect. at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:267) at org.owasp.dependencycheck.utils.HttpResourceConnection.fetch(HttpResourceConnection.java:163) at org.owasp.dependencycheck.utils.Downloader.fetchContent(Downloader.java:182) ... 140 more Caused by: java.net.ConnectException: Connection refused (Connection refused) at java.base/java.net.PlainSocketImpl.socketConnect(Native Method) at java.base/java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:412) at java.base/java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:255) at java.base/java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:237) at java.base/java.net.Socket.connect(Socket.java:609) at java.base/sun.net.NetworkClient.doConnect(NetworkClient.java:177) at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:508) at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:603) at java.base/sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:266) at java.base/sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:373) at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:207) at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1187) at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1081) at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:193) at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:168) at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:206) ... 142 more

We are caching the database between builds, so I'm pretty sure we're not hitting some kind of rate limit and I've also taken care that there are not 2 builds interfering with each other. When I check the nvd-cache directory I can see that -rw-r--r-- 1 *** *** 0 Aug 5 08:17 jsrepository.json is empty. I've tried removing the whole directory so it would be re-downloaded. same result.

Without any proof, to me it looks like the proxy settings are not honored, because:

  • when I run the build locally, everything is fine
  • on the CI/CD host I can curl that file, specifying a proxy, but when I try without the proxy it will fail with 'Connection refused' as in the exception

But, I have already specified the proxy settings, both in the gradle.properties, as well as passing it to gradle via -Dhttp.proxyHost and https.proxyHost respectively.

I am using: Gradle 6.8 "org.owasp.dependencycheck" version "7.1.1" plugin in docker on a CentOS 7 image

Any ideas how to make this work? Let me know if you need further information.

Cheers, cc

clarinetcat avatar Aug 05 '22 09:08 clarinetcat

See https://jeremylong.github.io/DependencyCheck/data/index.html

jeremylong avatar Sep 14 '22 10:09 jeremylong

Should be resolved with https://github.com/dependency-check/dependency-check-gradle/pull/286 - which will be released soon.

jeremylong avatar Nov 04 '22 09:11 jeremylong