DependencyCheck
DependencyCheck copied to clipboard
No Username and Password settings for the custom retireJsUrl triggers a 401 Error
Describe the bug
No username / password settings for the custom retireJsUrl triggers a 401 Error.
Version of dependency-check used The problem occurs using version 7.0.4.1 of the gradle plugin
Log file
Error retrieving https://repository.XXX.com/repository/retirejs/jsrepository.json; received response code 401; Unauthorized Failed to initialize the RetireJS repo org.owasp.dependencycheck.data.update.exception.UpdateException: Failed to initialize the RetireJS repo at org.owasp.dependencycheck.data.update.RetireJSDataSource.initializeRetireJsRepo(RetireJSDataSource.java:140) at org.owasp.dependencycheck.data.update.RetireJSDataSource.update(RetireJSDataSource.java:89)
To Reproduce Steps to reproduce the behavior:
Set the retireJsUrl to an internal URL protected by username/pw Since in RetireJSDataSource.Java ->initializeRetireJsRepo Method -> downloader.fetchFile(repoUrl, repoFile) is called without a SETTINGS username of password, the connection fails
Expected behavior A SETTINGS Username & Password like for the CVE is provided for the RetireJS
I also face issues with RetireJS download due to TLS issues:
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project devon4j: Fatal exception(s) analyzing devon4j: One or more exceptions occurred during analysis:
[ERROR] UpdateException: Failed to initialize the RetireJS repo
[ERROR] caused by DownloadFailedException: Download failed, unable to copy 'https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json' to 'D:\projects\devonfw\conf\.m2\repository\org\owasp\dependency-check-utils\7.1.0\..\..\dependency-check-data\7.0\jsrepository.json'; Error downloading file https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json; unable to connect.
[ERROR] caused by DownloadFailedException: Error downloading file https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json; unable to connect.
[ERROR] caused by SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[ERROR] caused by ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[ERROR] caused by SunCertPathBuilderException: unable to find valid certification path to requested target
[ERROR] NoDataException: No documents exist
@hohwille Your issue appears to me a man-in-the-middle re-encrypting proxy in your infrastructure for which the issuing CA has not been added to the truststore of your JVM. Add the trust for your MITM proxy to Java's truststore and it should be gone.