DependencyCheck
DependencyCheck copied to clipboard
jeremylong
Multiple "AnalysisException: OSS Index rate limit exceeded" errors on plugin execution
Starting today (25.05.2022), multiple errors started to fail on each execution. No plugin version changed (was and remains the 7.1.0 version).
Error examples (an error is failing for each of the dependencies):
[WARNING] An error occurred while analyzing '/tmp/dctemp2224d3d1-bfef-48de-b1f5-0e97d0983265/check9478530389331146964tmp/208/META-INF/resources/webjars/shepherd.js/8.2.3/.jsdoc.js' (Sonatype OSS Index Analyzer).
[ERROR] AnalysisException: OSS Index rate limit exceeded
[ERROR] caused by TransportException: Unexpected response; status: 429
There are actually the NPEs that are probably the root cause:
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project ins-app: One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during analysis:
[ERROR] AnalysisException: Failed to request component-reports
[ERROR] caused by NullPointerException: Cannot invoke "org.sonatype.goodies.packageurl.PackageUrl.toString()" because "coordinates" is null
[ERROR] AnalysisException: Failed to request component-reports
[ERROR] caused by NullPointerException: Cannot invoke "org.sonatype.goodies.packageurl.PackageUrl.toString()" because "coordinates" is null
[ERROR] AnalysisException: Failed to request component-reports
[ERROR] caused by NullPointerException: Cannot invoke "org.sonatype.goodies.packageurl.PackageUrl.toString()" because "coordinates" is null
[ERROR] AnalysisException: Failed to request component-reports
[ERROR] caused by NullPointerException: Cannot invoke "org.sonatype.goodies.packageurl.PackageUrl.toString()" because "coordinates" is null
[ERROR] AnalysisException: Failed to request component-reports
etc.
We also have these issues. In our pipelines and can also be reproduced locally.
There was a change recently, maybe related to that? https://ossindex.sonatype.org/updates-notice
Also tried out the same POST (with the same data) calls on their API manually: https://ossindex.sonatype.org/rest Works fine
Also the curl to the API from a local machine works fine.
cheers flash ⚡
Happening for me as well. Also, all the plugin versions have started giving false positives for multiple jar files:
spring-boot-2.6.8.jar (pkg:maven/org.springframework.boot/[email protected], cpe:2.3:a:vmware:spring_boot:2.6.8:*:*:*:*:*:*:*, cpe:2.3:a:vmware:spring_framework:2.6.8:*:*:*:*:*:*:*) : CVE-2013-4152, CVE-2013-7315, CVE-2014-0054, CVE-2016-1000027, CVE-2022-22965, CVE-2022-22968
spring-core-5.3.20.jar (pkg:maven/org.springframework/[email protected], cpe:2.3:a:pivotal_software:spring_framework:5.3.20:*:*:*:*:*:*:*, cpe:2.3:a:springsource:spring_framework:5.3.20:*:*:*:*:*:*:*, cpe:2.3:a:vmware:spring_framework:5.3.20:*:*:*:*:*:*:*, cpe:2.3:a:vmware:springsource_spring_framework:5.3.20:*:*:*:*:*:*:*) : CVE-2016-1000027
This has now blocked all our maven builds. Can we please have a solution to this?
@ankurga The NVD database was updated, see e.g. https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-1132080062 - you have to suppress it by yourself.
@danielbraeutigam thanks, but we have many projects dependent on that. So, we need to update for all of them?
@danielbraeutigam thanks, but we have many projects dependent on that. So, we need to update for all of them?
No, you just have to add it to your suppression file as described in https://jeremylong.github.io/DependencyCheck/general/suppression.html
We are experiencing almost the same issue, only the check fails on a HTTP 500 or NullPointerException from OSS Index.
HTTP 500:
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.5.3:aggregate (default-cli) on project xxx: One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during analysis:
[ERROR] AnalysisException: Failed to request component-reports
[ERROR] caused by TransportException: Unexpected response; status: 500
NullPointerException:
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.5.3:aggregate (default-cli) on project xxx: One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during analysis:
[ERROR] AnalysisException: Failed to request component-reports
[ERROR] caused by NullPointerException: null
I think this is also related to the recent improvements Sonatype applied to OSS Index: https://ossindex.sonatype.org/updates-notice.
May 23: OSS Index will start using the new data pipeline and you will see the improvements listed above.
We are also experiencing this same issue. I did some investigating and this seems to be caused by handling of the response failing. That in turn results in the same request being sent on every dependency until rate limit is reached.
[DEBUG] Error requesting component reports
java.lang.NullPointerException
at org.sonatype.ossindex.service.client.cache.DirectoryCache.entryKey (DirectoryCache.java:149)
at org.sonatype.ossindex.service.client.cache.DirectoryCache.entryFile (DirectoryCache.java:157)
at org.sonatype.ossindex.service.client.cache.DirectoryCache.putAll (DirectoryCache.java:134)
at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.requestComponentReports (OssindexClientImpl.java:171)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.requestReports (OssIndexAnalyzer.java:219)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:134)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run (FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:829)
[WARNING] An error occurred while analyzing '/home/user/.m2/repository/com/amazonaws/aws-java-sdk-mediaconnect/1.11.863/aws-java-sdk-mediaconnect-1.11.863.jar' (Sonatype OSS Index Analyzer).
[DEBUG]
org.owasp.dependencycheck.analyzer.exception.AnalysisException: Failed to request component-reports
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:157)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run (FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:829)
Caused by: java.lang.NullPointerException
at org.sonatype.ossindex.service.client.cache.DirectoryCache.entryKey (DirectoryCache.java:149)
at org.sonatype.ossindex.service.client.cache.DirectoryCache.entryFile (DirectoryCache.java:157)
at org.sonatype.ossindex.service.client.cache.DirectoryCache.putAll (DirectoryCache.java:134)
at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.requestComponentReports (OssindexClientImpl.java:171)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.requestReports (OssIndexAnalyzer.java:219)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:134)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run (FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:829)
There is a large amount of these failed requests until eventually only rate-limit is logged.
@ankurga The NVD database was updated, see e.g. spring-projects/spring-framework#24434 (comment) - you have to suppress it by yourself.
I'm not sure if suppression is related to this. These are not "false positives", they are errors:
cheers flash ⚡
@danielbraeutigam @ankurga : The problem you are discussing is not related to the issue reported so lets take it separately. As of now all projects using owasp-dependency-check plugin with version 6.X.X and 7.1.0 don't build. Something has recently changed at SONATYPE. I can reproduce the same locally as well on our CI platforms.
[ERROR] AnalysisException: Failed to request component-reports
[ERROR] caused by NullPointerException: null
[ERROR] AnalysisException: OSS Index rate limit exceeded
[ERROR] caused by TransportException: Unexpected response; status: 429
On debug we see:
[DEBUG] Connecting to: https://ossindex.sonatype.org/api/v3/component-report
[DEBUG] Error requesting component reports
java.lang.NullPointerException
at org.sonatype.ossindex.service.client.cache.DirectoryCache.entryKey (DirectoryCache.java:149)
at org.sonatype.ossindex.service.client.cache.DirectoryCache.entryFile (DirectoryCache.java:157)
at org.sonatype.ossindex.service.client.cache.DirectoryCache.putAll (DirectoryCache.java:134)
The URL https://ossindex.sonatype.org/api/v3/component-report is throwing 429 (Rate limiting)
It looks like sonatype have started rate limiting more aggressively for anonymous accounts. One solution is to register for an account with sonatype and supply a username and password / api key e.g. for gradle users
dependencyCheck {
analyzers.ossIndex.username = "<username>"
analyzers.ossIndex.password = "<password>"
}
@achintSatsangi https://ossindex.sonatype.org/updates-notice They published an update notice regarding breaking changes
It looks like sonatype have started rate limiting more aggressively for anonymous accounts. One solution is to register for an account with sonatype and supply a username and password / api key e.g. for gradle users
dependencyCheck { analyzers.ossIndex.username = "<username>" analyzers.ossIndex.password = "<password>" }
I'm not sure if this is the real issue. The first calls do not start with 429, but with NullPointerException, as already mentioned
- https://github.com/jeremylong/DependencyCheck/issues/4538#issuecomment-1136975666
- https://github.com/jeremylong/DependencyCheck/issues/4538#issuecomment-1136997648
cheers flash ⚡
It looks like sonatype have started rate limiting more aggressively for anonymous accounts. One solution is to register for an account with sonatype and supply a username and password / api key e.g. for gradle users
dependencyCheck { analyzers.ossIndex.username = "<username>" analyzers.ossIndex.password = "<password>" }I'm not sure if this is the real issue. The first calls do not start with 429, but with NullPointerException, as already mentioned
- Multiple "AnalysisException: OSS Index rate limit exceeded" errors on plugin execution #4538 (comment)
- Multiple "AnalysisException: OSS Index rate limit exceeded" errors on plugin execution #4538 (comment)
cheers flash ⚡
Agreed, it didn't look like that to me either, since I was getting exactly the same errors as you. However I can confirm that for me supplying credentials to the oss index then meant that I stopped getting the null pointer exception and rate limited exceeded errors and the check then succeeded.
This problem looks to me like the Sonatype provided client isn't handling the responses correctly.
An issue should probably be raised there as-well.
When using dependency-check directly:
[INFO] Analysis Started
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (0 seconds)
[INFO] Finished Central Analyzer (1 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (0 seconds)
[INFO] Finished CPE Analyzer (1 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[WARN] An error occurred while analyzing '[redacted]' (Sonatype OSS Index Analyzer).
[INFO] Finished Sonatype OSS Index Analyzer (1 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (6 seconds)
[INFO] Writing report to: [redacted]
[ERROR] Failed to request component-reports
I am experiencing the same issue since this morning with the plugin. Note that from the same machine I could make a request the OSS rest API without issuing the 429 error using a rest client and this : `POST https://ossindex.sonatype.org/api/v3/component-report Content-Type: application/json
{ "coordinates": [ "pkg:maven/commons-beanutils/[email protected]" ] }` So I am thinking this is due to the recent update of the API
As I can see mvn dependency-check:update-only works for me in local environment, after that I don't have this issue.
According to the doc https://ossindex.sonatype.org/doc/rest "Use POST when requesting vulnerability reports for multiple components. There is a limit of 128 components per HTTP request." Maybe the 128 limit is new and the plugin don't chunk the call.
Is it possible to disable it? Or use a local nexus server instead? It really slows down the scan process.
According to the doc https://ossindex.sonatype.org/doc/rest "Use POST when requesting vulnerability reports for multiple components. There is a limit of 128 components per HTTP request." Maybe the 128 limit is new and the plugin don't chunk the call.
Nope. That is not the issue here.
An additional thing: when I run the same check locally (not on GitLab), I am getting the following NPEs:
UPDATE: these NPEs are also present in the GitLab pipeline.
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project ins-schema: One or more exceptions occurred during dependency-check analysis: One or more exceptions occ
urred during analysis:
[ERROR] AnalysisException: Failed to request component-reports
[ERROR] caused by NullPointerException: Cannot invoke "org.sonatype.goodies.packageurl.PackageUrl.toString()" because "coordinates" is null
[ERROR] AnalysisException: Failed to request component-reports
[ERROR] caused by NullPointerException: Cannot invoke "org.sonatype.goodies.packageurl.PackageUrl.toString()" because "coordinates" is null
[ERROR] AnalysisException: Failed to request component-reports
[ERROR] caused by NullPointerException: Cannot invoke "org.sonatype.goodies.packageurl.PackageUrl.toString()" because "coordinates" is null
[ERROR] AnalysisException: Failed to request component-reports
[ERROR] caused by NullPointerException: Cannot invoke "org.sonatype.goodies.packageurl.PackageUrl.toString()" because "coordinates" is null
[ERROR] AnalysisException: Failed to request component-reports
[ERROR] caused by NullPointerException: Cannot invoke "org.sonatype.goodies.packageurl.PackageUrl.toString()" because "coordinates" is null
[ERROR] AnalysisException: Failed to request component-reports
[ERROR] caused by NullPointerException: Cannot invoke "org.sonatype.goodies.packageurl.PackageUrl.toString()" because "coordinates" is null
[ERROR] AnalysisException: Failed to request component-reports
[ERROR] caused by NullPointerException: Cannot invoke "org.sonatype.goodies.packageurl.PackageUrl.toString()" because "coordinates" is null
[ERROR] -> [Help 1]
Is it possible to disable it? Or use a local nexus server instead? It really slows down the scan process.
You can disable the OSS Index Analyzer entirely. Check the docs for how.
Is it possible to disable it? Or use a local nexus server instead? It really slows down the scan process.
Yes you can disable the analyzer using
<ossindexAnalyzerEnabled >false</ossindexAnalyzerEnabled>
I wouldn't recommend disabling the oss indexer though, we are currently getting four failures with the indexer enabled, but none with it disabled. I would instead recommend registering with oss index and setting a username and password / api key.
I wouldn't recommend disabling the oss indexer though, we are currently getting four failures with the indexer enabled, but none with it disabled. I would instead recommend registering with oss index and setting a username and password / api key.
How to accomplish this with maven? (which properties to set / provide)
cheers flash ⚡
I wouldn't recommend disabling the oss indexer though, we are currently getting four failures with the indexer enabled, but none with it disabled. I would instead recommend registering with oss index and setting a username and password / api key.
Looks like currently you cannot register on ossindex.sonatype getting a 500 error
I wouldn't recommend disabling the oss indexer though, we are currently getting four failures with the indexer enabled, but none with it disabled. I would instead recommend registering with oss index and setting a username and password / api key.
Looks like currently you cannot register on ossindex.sonatype getting a 500 error
registering works; you should receive an email with a confirmation link ....
I wouldn't recommend disabling the oss indexer though, we are currently getting four failures with the indexer enabled, but none with it disabled. I would instead recommend registering with oss index and setting a username and password / api key.
How to accomplish this with maven? (which properties to set / provide)
cheers flash ⚡
got it working. Provide ossIndexServerId with a value to the id in the settings.xml file
e.g.
-DossIndexServerId=owasp-oss-index
and in your settings.xml
<settings>
<servers>
<server>
<id>owasp-oss-index</id>
<username>foo</username>
<password>bla</password>
</server>
</servers>
</settings>
More info: https://jeremylong.github.io/DependencyCheck/dependency-check-maven/aggregate-mojo.html#ossIndexServerId
@petergphillips can confirm, that with a registered user account it works Thanks for the hints!
And yes, it seems like the rate limit to 128 modules per request is new
cheers flash ⚡
I wouldn't recommend disabling the oss indexer though, we are currently getting four failures with the indexer enabled, but none with it disabled. I would instead recommend registering with oss index and setting a username and password / api key.
How to accomplish this with maven? (which properties to set / provide) cheers flash ⚡
got it working. Provide
ossIndexServerIdwith a value to the id in thesettings.xmlfilee.g.
-DossIndexServerId=owasp-oss-indexand in your
settings.xml<settings> <id>owasp-oss-index</id> <username>foo</username> <password>bla</password> </server> </servers>More info: https://jeremylong.github.io/DependencyCheck/dependency-check-maven/aggregate-mojo.html#ossIndexServerId
@petergphillips can confirm, that with a registered user account it works Thanks for the hints!
And yes, it seems like the rate limit to 128 modules per request is new
cheers flash ⚡
Can you please clarify how do you get the user/password?
I've registered at https://ossindex.sonatype.org/, there are of course my email and password and also an API token. What values do I have to set for the plugin, where, and how to do it in Maven?
Where to put settings.xml and how to set the path to it in the plugin configuration?
Also can you please provide the complete xml-valid settings.xml?
I wouldn't recommend disabling the oss indexer though, we are currently getting four failures with the indexer enabled, but none with it disabled. I would instead recommend registering with oss index and setting a username and password / api key.
How to accomplish this with maven? (which properties to set / provide) cheers flash ⚡
got it working. Provide
ossIndexServerIdwith a value to the id in thesettings.xmlfile e.g.-DossIndexServerId=owasp-oss-indexand in yoursettings.xml<settings> <id>owasp-oss-index</id> <username>foo</username> <password>bla</password> </server> </servers>More info: https://jeremylong.github.io/DependencyCheck/dependency-check-maven/aggregate-mojo.html#ossIndexServerId @petergphillips can confirm, that with a registered user account it works Thanks for the hints! And yes, it seems like the rate limit to 128 modules per request is new cheers flash ⚡
Can you please clarify how do you get the user/password?
I've registered at https://ossindex.sonatype.org/, there are of course my email and password and also an API token. What values do I have to set for the plugin, where, and how to do it in Maven?
I used username and password, not the API token. Configuration is the usual maven plugin configuration: https://maven.apache.org/guides/mini/guide-configuring-plugins.html
You need to set ossIndexServerId, e.g. <ossIndexServerId>owasp-oss-index</ossIndexServerId>
The settings.xml i showed is already a valid complete one. The file is located in $HOME/.m2/settings.xml by default.
cheers flash ⚡
see https://github.com/jeremylong/DependencyCheck/issues/4535#issuecomment-1137136998
We too have this issue since today. Registring with ossindex.sonatype.org and using that username/password with command line options --ossIndexUsername and --ossIndexPassword solved the issue.
@ankurga The NVD database was updated, see e.g. spring-projects/spring-framework#24434 (comment) - you have to suppress it by yourself.
I'm not sure if suppression is related to this. These are not "false positives", they are errors:
cheers flash ⚡
But how come when I disable ossIndexAnalyzer it starts working then without any issue?
If anyone comes here because their pipeline in azure devops is failing, just follow these two steps:
- register a free account at https://ossindex.sonatype.org/
- add your new account info to your pipeline yaml file in the inputs part, f.e.:
additionalArguments: | --ossIndexUsername YOUREMAIL --ossIndexPassword YOURPASS
Fix mentioned in https://github.com/jeremylong/DependencyCheck/issues/4535#issuecomment-1137283693 worked for me now without changing any configuration.
Any possibility to not use user and password in clear? Any token?
On Wed, May 25, 2022 at 4:02 PM rvgiesen @.***> wrote:
If anyone comes here because their pipeline in azure devops is failing, just follow these two steps:
- register a free account at https://ossindex.sonatype.org/
- add your new account info to your pipeline yaml file in the inputs part, f.e.:
additionalArguments: | --ossIndexUsername YOUREMAIL --ossIndexPassword YOURPASS
— Reply to this email directly, view it on GitHub https://github.com/jeremylong/DependencyCheck/issues/4538#issuecomment-1137287290, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAHXVHPTFSSJZDLFMCZNXJDVLYXI7ANCNFSM5W4JRWLA . You are receiving this because you are subscribed to this thread.Message ID: @.***>
-- Carlo Reggiani about.me/reggianicarlo [image: Carlo Reggiani on about.me] http://about.me/reggianicarlo
Any possibility to not use user and password in clear? Any token? …
OSSI supports generating an API Token https://ossindex.sonatype.org/doc/api-token
People are looking for an immediate solution: set ossindexAnalyzerEnabled to false in your scans.
Then, work on registering a username and password to authenticate with OSS.
Just so I understand correctly: The rate limiting issues are fixed on OSS Index so a user account is not needed anymore?
By the way, after I specified a user and password, a few [sonatype-xxx] popped up, which I've suppressed with <vulnerabilityName regex="true">^\[sonatype.*</vulnerabilityName>.
I assume they're only visible to logged in users, most don't have CVE numbers and quite a few are not fixed yet.
For example, https://ossindex.sonatype.org/component/pkg:maven/org.terracotta/offheap-store has the same vulnerability in all versions, https://ossindex.sonatype.org/vulnerability/sonatype-2020-0267.
We have been facing this issue too!.But the cause seems to be different.
AnalysisException: Failed to request component-reports
caused by SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
caused by ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
caused by CertPathValidatorException: validity check failed
caused by CertificateExpiredException: NotAfter: Thu May 26 09:59:59 AEST 2022
owasp gradle plugin version. - 7.1.0.1 What's the resolution for this issue
@Subhalakshmi1986 Looks like it expired a few hours ago, so a new issue.
We have been facing this issue too!.But the cause seems to be different. AnalysisException: Failed to request component-reports caused by SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed caused by ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed caused by CertPathValidatorException: validity check failed caused by CertificateExpiredException: NotAfter: Thu May 26 09:59:59 AEST 2022
owasp gradle plugin version. - 7.1.0.1 What's the resolution for this issue
The issue is resolved now.We don't face this issue now.
Just so I understand correctly: The rate limiting issues are fixed on OSS Index so a user account is not needed anymore?
By the way, after I specified a user and password, a few
[sonatype-xxx]popped up, which I've suppressed with<vulnerabilityName regex="true">^\[sonatype.*</vulnerabilityName>.I assume they're only visible to logged in users, most don't have CVE numbers and quite a few are not fixed yet.
For example, https://ossindex.sonatype.org/component/pkg:maven/org.terracotta/offheap-store has the same vulnerability in all versions, https://ossindex.sonatype.org/vulnerability/sonatype-2020-0267.
I highly recommend making authenticated requests so that you receive the higher rate limit but also so that you get the SONATYPE-* vulnerabilities. These are vulnerabilities discovered by our large team of human researchers. Most often these are because the public sources are incorrect (they report something has been fixed but our testing shows that it hasn't actually been fixed).
@jeremylong @jlstephens89 I think this one can now be considered resolved with the updates/fixes made in the OSSINDEX? Or are there still pending issues related to this ticket?
