DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

org.owasp.dependencycheck.analyzer.exception.AnalysisException: Failed to request component-reports Unexpected response; status: 400

Open francisATgwn opened this issue 8 months ago • 5 comments

Describe the bug Dependency Check fails with a 400 error when requesting something from the Sonatype OSS Index, leading to fewer CVEs found in the report and warnings in the job log like An error occurred while analyzing requirements.txt (Sonatype OSS Index Analyzer).

Version of dependency-check used The problem occurs using version 9.2.0 of the CLI -- both docker and brew packaging

Log file https://gist.github.com/francisATgwn/ece673ba589b75110a3aeecc9354708e

To Reproduce Steps to reproduce the behavior:

  1. Use dependency check CLI with this CLI invocation
$ /usr/share/dependency-check/bin/dependency-check.sh --dbDriverName org.postgresql.Driver --connectionString "$DEPENDENCY_CHECK_CONNECTION" --dbUser "$DEPENDENCY_CHECK_USER" --dbPassword "$DEPENDENCY_CHECK_PASSWORD" --nvdApiKey "$NIST_NVD_API_KEY" --project $CI_PROJECT_NAME --out . --scan . --enableExperimental --format JUNIT --junitFailOnCVSS 4 --format HTML --failOnCVSS 4 --nodeAuditSkipDevDependencies $( [[ -e dependency-check-suppression.xml ]] && echo '--suppression dependency-check-suppression.xml' || echo '' )

Expected behavior

  • CVEs from Sonatype OSS Index are included in the report
  • [WARN] An error occurred while analyzing '...' (Sonatype OSS Index Analyzer). does not appear in log
  • no HTTP 400 resulting in org.owasp.dependencycheck.analyzer.exception.AnalysisException: Failed to request component-reports appearing in the Analysis Exceptions section of the HTML report

Additional context This does not happen when run with the 8.4.3 docker image from the same environment on the same project at the same time.

The 8.4.3 CLI invocation is similar to the 9.2.0 invocation:

$ /usr/share/dependency-check/bin/dependency-check.sh --project $CI_PROJECT_NAME --out . --scan . --enableExperimental --format JUNIT --junitFailOnCVSS 4 --format HTML --failOnCVSS 4 --nodeAuditSkipDevDependencies --data dependency-check-data $( [[ -e dependency-check-suppression.xml ]] && echo '--suppression dependency-check-suppression.xml' || echo '' )

francisATgwn avatar Jun 18 '24 20:06 francisATgwn