ort icon indicating copy to clipboard operation
ort copied to clipboard

Published 20 hours ago verified publisher icon oss-review-toolkit

SSLHandshakeException with ClearlyDefined.io

Open cz-dev-ge opened this issue 1 year ago • 1 comments

Describe the bug

When using ClearlyDefined as curation provider I get a SSLHandshakeException

To Reproduce

Steps to reproduce the behavior:

  1. put a config.yml into your repo under <Repo-Root>/.ort/config/config.yml
  2. add the content below
  3. run docker run -v $PWD/:/project -v $PWD/.ort:/home/ort/.ort --rm ghcr.io/oss-review-toolkit/ort --info analyze -f JSON -i /project/src -o /project/ORT
  4. See error

Expected behavior

No error. Curations are loaded correctly.

Console / log output

Add console and / or log output that shows the error and additional context. No screenshots of plain text please, to keep text searchable.

09:55:28.503 [main] WARN  org.ossreviewtoolkit.plugins.packagecurationproviders.clearlydefined.ClearlyDefinedPackageCurationProvider - Querying curations failed: SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    Caused by: SunCertPathBuilderException: unable to find valid certification path to requested target
09:55:28.504 [main] INFO  org.ossreviewtoolkit.model.utils.ConfigurationResolver - Getting 0 package curation(s) from provider 'ClearlyDefined' took 420.417503ms.
Wrote analyzer result to '/project/ORT/analyzer-result.json' (0.02 MiB) in 505.252100ms.
The analysis took 9.722949524s.
Found 2 project(s) and 2 package(s) in total (not counting excluded ones).
Applied 0 curation(s)

Environment

Output of the ort requirements command:

Default latest docker image.

 ______________________________
/        \_______   \__    ___/ The OSS Review Toolkit, version 22.6.0,
|    |   | |       _/ |    |    built with JDK 11.0.23+9, running under Java 17
|    |   | |    |   \ |    |    Executing 'requirements' as 'ort' on Linux
\________/ |____|___/ |____|    with 12 CPUs and a maximum of 3954 MiB of memor

Environment variables:
ORT_CONFIG_DIR = /home/ort/.ort/config
ORT_DATA_DIR = /home/ort/.ort
HOME = /home/ort
JAVA_HOME = /opt/java/openjdk
ANDROID_HOME = /opt/android-sdk

Looking for ORT configuration in the following file:
        /home/ort/.ort/config/config.yml (does not exist)

AdviceProviderFactory plugins:
        * GitHubDefects
        * NexusIQ
        * OssIndex
        * OSV
        * VulnerableCode

OrtCommand plugins:
        * advise
        * analyze
        * compare
        * config
        * download
        * evaluate
        * migrate
        * notify
        * report
        * requirements
        * scan
        * upload-curations
        * upload-result-to-postgres
        * upload-result-to-sw360

PackageConfigurationProviderFactory plugins:
        * DefaultDir
        * Dir
        * OrtConfig

PackageCurationProviderFactory plugins:
        * ClearlyDefined
        * DefaultDir
        * DefaultFile
        * File
        * OrtConfig
        * SW360

PackageManagerFactory plugins:
        * Bazel
        * Bower
        * Bundler
        * Cargo
        * Carthage
        * CocoaPods
        * Composer
        * Conan
        * GoMod
        * Gradle
        * GradleInspector
        * Maven
        * NPM
        * NuGet
        * PIP
        * Pipenv
        * PNPM
        * Poetry
        * Pub
        * SBT
        * SpdxDocumentFile
        * Stack
        * SwiftPM
        * Unmanaged
        * Yarn
        * Yarn2

Reporter plugins:
        * CtrlXAutomation
        * CycloneDx
        * DocBookTemplate
        * EvaluatedModel
        * FossId
        * FossIdSnippet
        * GitLabLicenseModel
        * HtmlTemplate
        * ManPageTemplate
        * Opossum
        * PdfTemplate
        * PlainTextTemplate
        * SpdxDocument
        * StaticHtml
        * TrustSource
        * WebApp

ScannerWrapperFactory plugins:
        * Askalono
        * BoyterLc
        * FossId
        * Licensee
        * ScanCode
        * SCANOSS

VersionControlSystem plugins:
        * Git
        * GitRepo
        * Mercurial
        * Subversion

Scanners:
        - Askalono: Requires 'askalono' in no specific version. Tool not found.
        - BoyterLc: Requires 'lc' in no specific version. Tool not found.
        - Licensee: Requires 'licensee' in no specific version. Tool not found.
        * ScanCode: Requires 'scancode' in version >=3.0.0. Found version 32.1.0.

PackageManagers:
        * Bazel: Requires 'bazel' in version >=7.0.0. Found version 7.0.1.
        * Bower: Requires 'bower' in version >=1.8.8. Found version 1.8.14.
        * Cargo: Requires 'cargo' in no specific version. Found version 1.72.0.
        * CocoaPods: Requires 'pod' in version >=1.11.0. Found version 1.15.2.
        * Composer: Requires 'composer' in version >=1.5.0. Found version 2.2.23.
        * Conan: Requires 'conan' in version >=1.18.0. Found version 1.63.0.
        * GoMod: Requires 'go' in version >=1.21.1. Found version 1.22.2.
        * Npm: Requires 'npm' in version >=6.0.0 and <11.0.0. Found version 10.5.0.
        + NuGetInspector: Requires 'nuget-inspector' in no specific version. Could not determine the version.
        * Pipenv: Requires 'pipenv' in version >=2018.10.9. Found version 2023.12.1.
        * Pnpm: Requires 'pnpm' in version >=5.0.0 and <9.0.0. Found version 8.10.3.
        * Poetry: Requires 'poetry' in no specific version. Found version 1.8.3.
        * Pub: Requires 'dart' in version >=2.10.0. Found version 2.18.4.
        * PythonInspector: Requires 'python-inspector' in version >=0.9.2. Found version 0.10.0.
        + Sbt: Requires 'sbt' in version >=0.13.0. Could not determine the version.
        * Stack: Requires 'stack' in version >=2.1.1. Found version 2.15.7.
        * SwiftPm: Requires 'swift' in no specific version. Found version 5.9.2.
        * Yarn: Requires 'yarn' in version >=1.3.0 and <1.23.0. Found version 1.22.19.

VersionControlSystems:
        * GitCommand: Requires 'git' in version >=2.29.0. Found version 2.34.1.
        * GitRepo: Requires 'repo' in no specific version. Found version 2.45 (launcher).
        * MercurialCommand: Requires 'hg' in no specific version. Found version 6.7.3.

And specify (relevant parts of) your ORT configuration (config.yml):

ort:
  enableRepositoryPackageConfigurations: true
  enableRepositoryPackageCurations: true

  packageCurationProviders:
  - type: ClearlyDefined
    options:
      serverUrl: 'https://api.clearlydefined.io'
      minTotalLicenseScore: 80

cz-dev-ge avatar Jun 06 '24 10:06 cz-dev-ge

This

Caused by: ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    Caused by: SunCertPathBuilderException: unable to find valid certification path to requested target

means that the JVM that runs ORT is lacking the proper SSL certificates. The Docker image build should actually ensure to have up-to-date SSL certifictes (also see scripts/import_certificates.sh), so we need to look what's going on.

sschuberth avatar Jun 06 '24 10:06 sschuberth

@georg-eckert-zeiss, can you re-test with a recent ORT release as we've switched to Java 21 which probably comes with updated certificates?

sschuberth avatar Nov 01 '24 10:11 sschuberth

Closed as part of backlog grooming. Feel free to comment if you would like to contribute to this.

sschuberth avatar Nov 26 '24 09:11 sschuberth