Invalid expires attribute date on setting Cookies during Analyzer

[heliocastro]

During analyzer run, using --info, this warning can be seen:

WARN  org.apache.http.client.protocol.ResponseProcessCookies - Invalid cookie header: "Set-Cookie: AWSALBCORS=<CORS_REDACTED>; Expires=Tue, 28 May 2024 12:45:19 GMT; Path=/; SameSite=None; Secure". Invalid 'expires' attribute: Tue, 28 May 2024 12:45:19 GMT

[sschuberth]

The package org.apache.http.client.protocol.ResponseProcessCookies is not from us. Can you share more context from the stacktrace?

[sschuberth]

@heliocastro, do you see this when running one of the SW360 commands? Because that seems to be the only place where ORT is using Apache Http instead of OkHttp. If so, this might solve it.

[heliocastro]

Hi @sschuberth, I did some investigation and the issue comes from the maven implementation on Ort, not related to the sw360, and happens during Analyzer stage: Here's exact snippet where it happens in eclipse-aether:

I'll try to debug further

10:05:46.809 [DefaultDispatcher-worker-1] DEBUG org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.MavenSupport - Ignoring local repositories [vw-central (https://jfrog.devstack.vwgroup.com/artifactory/public/, default, releases), vw-dp-common (https://jfrog.devstack.vwgroup.com/artifactory/gvo-maven-dataproductscommon/, default, releases+snapshots), central (https://repo.maven.apache.org/maven2, default, releases), sonatype-nexus-snapshots (https://oss.sonatype.org/content/repositories/snapshots, default, snapshots), central (https://repo.maven.apache.org/maven2, default, releases)].
10:05:46.809 [DefaultDispatcher-worker-1] DEBUG org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.MavenSupport - Searching for 'org.webjars:swagger-ui:jar:4.18.2' in [vw-central (https://jfrog.devstack.vwgroup.com/artifactory/public/, default, releases), vw-dp-common (https://jfrog.devstack.vwgroup.com/artifactory/gvo-maven-dataproductscommon/, default, releases+snapshots), central (https://repo.maven.apache.org/maven2, default, releases), spring-release (https://repo.spring.io/release, default, releases), spring-snapshot (https://repo.spring.io/snapshot, default, releases+snapshots), sonatype-nexus-snapshots (https://oss.sonatype.org/content/repositories/snapshots, default, snapshots)].
10:05:46.809 [DefaultDispatcher-worker-1] DEBUG org.ossreviewtoolkit.plugins.packagemanagers.maven.utils.MavenSupport - Trying to download artifact 'org.webjars:swagger-ui:jar:4.18.2' from https://jfrog.devstack.vwgroup.com/artifactory/public/org/webjars/swagger-ui/4.18.2/swagger-ui-4.18.2.jar.
10:05:46.810 [DefaultDispatcher-worker-1] DEBUG org.eclipse.aether.internal.impl.DefaultTransporterProvider - Using transporter HttpTransporter with priority 5.0 for https://jfrog.devstack.vwgroup.com/artifactory/public/
10:05:46.810 [DefaultDispatcher-worker-1] DEBUG org.eclipse.aether.internal.impl.DefaultRepositoryConnectorProvider - Using connector BasicRepositoryConnector with priority 0.0 for https://jfrog.devstack.vwgroup.com/artifactory/public/ via localhost:9000 with org.eclipse.aether.util.repository.JreProxySelector$JreProxyAuthentication@4ddacff8
10:05:46.810 [DefaultDispatcher-worker-1] DEBUG org.apache.http.client.protocol.RequestAddCookies - CookieSpec selected: default
10:05:46.810 [DefaultDispatcher-worker-1] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection request: [route: {tls}->http://localhost:9000->https://jfrog.devstack.vwgroup.com:443][total available: 3; route allocated: 1 of 50; total allocated: 3 of 100]
10:05:46.810 [DefaultDispatcher-worker-1] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection leased: [id: 0][route: {tls}->http://localhost:9000->https://jfrog.devstack.vwgroup.com:443][total available: 2; route allocated: 1 of 50; total allocated: 3 of 100]
10:05:46.810 [DefaultDispatcher-worker-1] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-0: set socket timeout to 0
10:05:46.810 [DefaultDispatcher-worker-1] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-0: set socket timeout to 1800000
10:05:46.810 [DefaultDispatcher-worker-1] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing request HEAD /artifactory/public/org/webjars/swagger-ui/4.18.2/swagger-ui-4.18.2.jar HTTP/1.1
10:05:46.810 [DefaultDispatcher-worker-1] DEBUG org.apache.http.impl.execchain.MainClientExec - Target auth state: UNCHALLENGED
10:05:46.860 [DefaultDispatcher-worker-1] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection can be kept alive indefinitely
10:05:46.860 [DefaultDispatcher-worker-1] DEBUG org.apache.http.impl.auth.HttpAuthenticator - Authentication required
10:05:46.860 [DefaultDispatcher-worker-1] DEBUG org.apache.http.impl.auth.HttpAuthenticator - jfrog.devstack.vwgroup.com:443 requested authentication
10:05:46.860 [DefaultDispatcher-worker-1] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - Authentication schemes in the order of preference: [Negotiate, Kerberos, NTLM, CredSSP, Digest, Basic]
10:05:46.860 [DefaultDispatcher-worker-1] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for Negotiate authentication scheme not available
10:05:46.860 [DefaultDispatcher-worker-1] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for Kerberos authentication scheme not available
10:05:46.860 [DefaultDispatcher-worker-1] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for NTLM authentication scheme not available
10:05:46.860 [DefaultDispatcher-worker-1] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for CredSSP authentication scheme not available
10:05:46.860 [DefaultDispatcher-worker-1] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for Digest authentication scheme not available
10:05:46.860 [DefaultDispatcher-worker-1] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection [id: 0][route: {tls}->http://localhost:9000->https://jfrog.devstack.vwgroup.com:443] can be kept alive indefinitely
10:05:46.860 [DefaultDispatcher-worker-1] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-0: set socket timeout to 0
10:05:46.860 [DefaultDispatcher-worker-1] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection released: [id: 0][route: {tls}->http://localhost:9000->https://jfrog.devstack.vwgroup.com:443][total available: 3; route allocated: 1 of 50; total allocated: 3 of 100]
10:05:46.860 [DefaultDispatcher-worker-1] WARN  org.apache.http.client.protocol.ResponseProcessCookies - Invalid cookie header: "Set-Cookie: AWSALB=rlhopvySkjsYFSk30vL2SO3xIcok/rnQ98TEfEjWBgT5F9X+8RcToudxqjv26n9TW9k0h/sx0f/PVIjxajAeFUU5WN1i5sxiYqwHkssgyquG0NwbZUlXoJH+rnzq; Expires=Mon, 01 Jul 2024 08:05:46 GMT; Path=/". Invalid 'expires' attribute: Mon, 01 Jul 2024 08:05:46 GMT
10:05:46.860 [DefaultDispatcher-worker-1] WARN  org.apache.http.client.protocol.ResponseProcessCookies - Invalid cookie header: "Set-Cookie: AWSALBCORS=rlhopvySkjsYFSk30vL2SO3xIcok/rnQ98TEfEjWBgT5F9X+8RcToudxqjv26n9TW9k0h/sx0f/PVIjxajAeFUU5WN1i5sxiYqwHkssgyquG0NwbZUlXoJH+rnzq; Expires=Mon, 01 Jul 2024 08:05:46 GMT; Path=/; SameSite=None; Secure". Invalid 'expires' attribute: Mon, 01 Jul 2024 08:05:46 GMT

[sschuberth]

Still looks like this should be reported against https://maven.apache.org/resolver/issue-management.html instead.

[heliocastro]

Opened here: https://issues.apache.org/jira/browse/MRESOLVER-574

[sschuberth]

Thanks, let's close this in favor of the upstream issue then; we'll automatically benefit from a fix if a new version of the resolver library with the fix is released.

[sschuberth]

Version 1.9.21 of Maven resolver will have the fix.