DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

Dependency Check CLI: NVD URL Access Proxy Authentication Issue

Open guptaa6 opened this issue 3 years ago • 6 comments

Hi

We are facing authentication issue while executing dependency check via batch script and passing proxy configuration through CLI arguments(proxyserver, proxyport, proxypass, proxyuser).

As per our analysis proxy credentials are not passed via CLI as network logs shows authentication issue with messages as: a. Access Denied(authentication_failed) b. Your credentials could not be authenticated: "Credentials are missing". You will not be permitted access until your credentials can be verified.

Also wanted to share that, we are able to successfully access NVD URL via 'cURL' with usage of same proxy credentials passed as CLI arguments in batch script.

CMD Batch Execution Issue logs attached in screenshot for your reference: DependencyCheck_NVD_URL_Access_Issue DependencyCheck_NVD_URL_Access_Issue.png

Dependency Check Version Used: 7.1.0

CLI Arguments Reference link: https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html

Batch Script CLI dummy command: dependency-check.bat --project "myproject" --scan C:\dependency-check --out C:\dependency-check\reports --proxyserver <PROXY_SERVER_IP> --proxyport <PROXY_SERVER_PORT> --proxypass <PROXY_USER_PASSWORD> --proxyuser <PROXY_USER>

Please review and suggest us on steps we can take to resolve the issue.

Thanks

guptaa6 avatar Jun 03 '22 06:06 guptaa6

What Java version do you use? Looks a lot like https://stackoverflow.com/questions/41806422/java-web-start-unable-to-tunnel-through-proxy-since-java-8-update-111

For which the codebase has the mentioned fix in place https://github.com/jeremylong/DependencyCheck/blob/c236dbf3b63ad3cc229a6a079a244d354da5ce46/utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java#L99 but maybe for your version of Java they no longer work?

aikebah avatar Jun 05 '22 20:06 aikebah

Or maybe it never worked, but people needing this already had the local JVM patched with the same.

See also https://github.com/jeremylong/DependencyCheck/issues/718

aikebah avatar Jun 05 '22 21:06 aikebah

Hi @aikebah

Thanks for your response.

Wanted to update that issue still persists at our end with suggested change to reactivate the authentication scheme with Java VM arguments(jdk.http.auth.tunneling.disabledSchemes and jdk.http.auth.proxying.disabledSchemes) as empty.

<DEPNDENCY_CHECK_FOLDER>/bin/dependency-check.bat file snapshot for your reference which was modified with suggeted change: dependency_check_batch

Reference Link: https://www.oracle.com/java/technologies/javase/8u111-relnotes.html

Java Version Used at our end: 1.8.0_241

Please find below network logs debug extract for the unauthenticated transaction for your reference: Network_Logs_15June

CMD Batch Execution Issue logs attached in screenshot for your reference: image

Please can you help review and and suggest next steps we can take to resolve the issue.

Thanks

guptaa6 avatar Jun 15 '22 17:06 guptaa6

Your screenshot shows a modified, but unsaved batch-file. Are you sure you saved before running?

aikebah avatar Jun 15 '22 18:06 aikebah

Hi @aikebah

Thanks for the response.

Yes please issue persistence details presented here are with validation done after batch file is saved.

Screenshot shared here was for sample purpose only.

Thanks

guptaa6 avatar Jun 17 '22 12:06 guptaa6

Then all that's left would be networktracing the requests to the proxy. It should (based on the config) contain the proxy-authentication, but the response of the proxy that you quote appears to suggest differently. As the channel to the proxy itself is unencrypted you should be able to read the data until the TLS tunnel is being opened to the destination site.

aikebah avatar Jun 17 '22 16:06 aikebah