profile
viewpoint
Jeremy Long jeremylong Oak Hill, VA Founder and project lead for dependency-check.

jeremylong/DependencyCheck 2600

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

jeremylong/dependency-check-gradle 199

The dependency-check gradle plugin allows projects to monitor dependent libraries for known, published vulnerabilities.

jeremylong/dependency-check-sonar-plugin 5

Integrates OWASP Dependency-Check reports into SonarQube

jeremylong/dependency-check-plugin 2

Jenkins plugin for OWASP Dependency-Check. Inspects project components for known vulnerabilities (e.g. CVEs).

jeremylong/InstallCert 2

Java program to retrieve server certificate that can be added to local keystore

OWASP/www-project-dependency-check 2

OWASP Foundation Web Respository

jeremylong/blackhat-arsenal-tools 1

Official Black Hat Arsenal Security Tools Repository

jeremylong/build-inspector 1

Inspect your builds to look for changes in filesystem, network traffic and running processes.

jeremylong/GrokAssembly 1

Mono/.NET Project to get information about an assembly. Primarily for OWASP Dependency Check

jeremylong/maven-indexer 1

Indexer for Maven Repositories

issue closedjeremylong/DependencyCheck

Retry for failed connections to Node Audit API

Related Problem As of Failed to read results from the NPM Audit API #1685 connections to the Node Audit API are sporadically failing. NPM appears to have such availability problems from time to time.

Suggested Solution I am using the Dependency Check for my nightly build. Therefore its important to me to not have sporadic build failures. I would suggest to retry connecting to the Node Audit API 2-3 times before letting the Dependency Check fail. I could develop this if you accept a pull request for that matter.

closed time in 5 hours

DanielOstovary

issue commentjeremylong/DependencyCheck

Retry for failed connections to Node Audit API

We do not plan on implementing retry logic. Rather #2423 and/or local analysis are being considered.

DanielOstovary

comment created time in 5 hours

issue closedjeremylong/DependencyCheck

False Positive on asm-7.2.jar

False positive on library asm-7.2.jar- reported as cpe:2.3:a :apache:netbeans:7.2 with dependency-check version: 6.0.2 (maven-plugin).

Reported Identifiers: pkg:maven/org.ow2.asm/asm@7.2 (Confidence:High) --> OK pkg:maven/org.netbeans.external/asm-7.2@RELEASE113 (Confidence:Highest) cpe:2.3:a :apache:netbeans:7.2:::::::* (Confidence:Low) --> not OK because of CVE-2019-17560

closed time in 5 hours

MichaelVetter

push eventjeremylong/DependencyCheck

Jeremy Long

commit sha 1876b4d641b8dd837baf9b8653b2b2bb69df4c9a

fp per #2923

view details

push time in 5 hours

issue closedjeremylong/DependencyCheck

Finish excludes PR #1699

To finalize #1699 we need to update the javadoc and add an integration test to the maven plugin.

When doing this we should also add the includes functionality requested in #1009.

closed time in 5 hours

jeremylong

push eventjeremylong/DependencyCheck

Jeremy Long

commit sha 9dc00dc87e078859fc7f5e0f951ef868b6213097

update documenttion per #1747

view details

push time in 5 hours

issue commentjeremylong/DependencyCheck

Duplicate vulnerabilities reported for identical jar files using version 6.0.x

This was an intended change as reported in #2608.

MichaelVetter

comment created time in 6 hours

issue commentjeremylong/dependency-check-gradle

"failed to request component-reports" should include the failure

I'd start by enabling debug logging. There is an issue with the stack traces sometimes with gradle that we are working on. However, enabling debug logging will get you the info you need as the actual exception is logged:

https://github.com/jeremylong/DependencyCheck/blob/ee08a7c4764e90537ac9d412c52e9a6fc09c10f2/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java#L144-L147

trejkaz

comment created time in 6 hours

issue commentjeremylong/DependencyCheck

maven plugin config ignored

Either I'm not following your issue or I can't reproduce it... If I configure:

    <build>
        <plugins>
            <plugin>
              <groupId>org.owasp</groupId>
              <artifactId>dependency-check-maven</artifactId>
              <version>6.0.2</version>
                <configuration>
                  <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
                  <format>ALL</format>
              </configuration>
              <executions>
                  <execution>
                      <goals>
                          <goal>check</goal>
                      </goals>
                  </execution>
              </executions>
            </plugin>
        </plugins>
    </build>

Then execute:

$ mvn org.owasp:dependency-check-maven:check -X > odc.log

I can then find in the logs:

[DEBUG] Setting: analyzer.assembly.enabled='false'
[DEBUG] Setting: analyzer.artifactory.parallel.analysis='true'
[DEBUG] Loaded Analyzer Archive Analyzer
[DEBUG] Loaded Analyzer File Name Analyzer
[DEBUG] Loaded Analyzer Jar Analyzer
[DEBUG] Loaded Analyzer Hint Analyzer
[DEBUG] Loaded Analyzer CPE Analyzer
[DEBUG] Loaded Analyzer False Positive Analyzer
[DEBUG] Loaded Analyzer Dependency Bundling Analyzer
[DEBUG] Loaded Analyzer Dependency Merging Analyzer
[DEBUG] Loaded Analyzer NVD CVE Analyzer
[DEBUG] Loaded Analyzer Vulnerability Suppression Analyzer
[DEBUG] Loaded Analyzer Central Analyzer
[DEBUG] Loaded Analyzer Nexus Analyzer
[DEBUG] Loaded Analyzer Artifactory Analyzer
[DEBUG] Loaded Analyzer Nuspec Analyzer
[DEBUG] Loaded Analyzer Nugetconf Analyzer
[DEBUG] Loaded Analyzer MSBuild Project Analyzer
[DEBUG] Loaded Analyzer Assembly Analyzer
[DEBUG] Loaded Analyzer OpenSSL Source Analyzer
[DEBUG] Loaded Analyzer Node.js Package Analyzer
[DEBUG] Loaded Analyzer Node Audit Analyzer
[DEBUG] Loaded Analyzer RetireJS Analyzer
[DEBUG] Loaded Analyzer Ruby Bundle Audit Analyzer
[DEBUG] Loaded Analyzer Version Filter Analyzer
[DEBUG] Loaded Analyzer Sonatype OSS Index Analyzer
[DEBUG] Settings.getDataFile() - file: '[JAR]/../../dependency-check-data/5.0'

As you can see the assembly analyzer is not loaded. Note - it does print out the settings as loaded from properties file in the core JAR; however, it is later set as seen in the above log.

Now, if you used the above configuration and tried to run mvn site the configuration would not be used from the build section. You need to configure and use it as either a site plugin and run it via mvn site or as a build plugin and run it via mvn verify, mvn org.owasp:dependency-check-maven:check, or whatever other goal you attach it to.

delanym

comment created time in 6 hours

issue commentjeremylong/DependencyCheck

6.0.3 release date ?

relatively soon - likely this weekend.

sebastienroux

comment created time in 6 hours

issue commentjeremylong/DependencyCheck

Bad error reporting

@aikebah a simpler solution might be to simply log any inner exceptions from the ExceptionCollection and then throw the first exception in the list...

Vampire

comment created time in 6 hours

issue closedjeremylong/DependencyCheck

Central analyzer not called (but enabled; works with additional repo)

Describe the bug Central analyzer is not called, even though it is explicitly enabled. Works fine when additional repo is configured.

When I remove our maven repository and use there just mavenLocal(). The central analyzer is not enabled at all. Which is also pretty strange behavior

18:23:15.642 [DEBUG] [org.owasp.dependencycheck.Engine] Initializing Central Analyzer
...many lines...
18:23:15.642 [DEBUG] [org.owasp.dependencycheck.Engine] Skipping Central Analyzer (not enabled)
(even when log few lines above says: Enabling the Central analyzer)

In case where central is not executed, this line is also not in log Central analyzer enabled: true, so it seems that prepareFileTypeAnalyzer(Engine) method is never called

** Version of dependency-check used ** The problem occurs using version 4.0.2 of the the Gradle plugin

** Log file ** https://gist.github.com/malejpavouk/faa6f459744928b41eba644302b57774

To Reproduce Steps to reproduce the behavior:

plugins {
    id 'java'
    id 'org.owasp.dependencycheck' version '4.0.2'
}

group 'test'
version '1.0-SNAPSHOT'

sourceCompatibility = 1.8

repositories {
    // uncomment to make central analyzer running
    //maven {
        //url 'http://{{company artifactory}}/artifactory/{{repository}}'
    //}
    mavenLocal()
    mavenCentral()
}

dependencies {
    compile "com.oracle:ojdbc7:12.1.0.2"
    testCompile group: 'junit', name: 'junit', version: '4.12'
}

dependencyCheck {
    cveValidForHours 24
    format 'ALL'
    failBuildOnCVSS 11

    analyzers {
        jarEnabled = true
        centralEnabled = true
    }
}

Expected behavior Central is called, when enabled

Additional context

closed time in a day

malejpavouk

issue commentjeremylong/DependencyCheck

Central analyzer not called (but enabled; works with additional repo)

CentralAnalyzer should not be used with the maven plugin. It does nothing and can only create slower builds when enabled.

malejpavouk

comment created time in a day

issue closedjeremylong/DependencyCheck

update-only postgresql database maintenance update ecosystem fails [5.0.0-M1]

Describe the bug After setting up a postgresql database with initialize_postgres.sql (in which the last query to update version to 4.1 fails since this property does not exist yet) running the update-only task fails in the database maintenance phase with an SQL exception:

1256877 [main] INFO org.owasp.dependencycheck.data.update.NvdCveUpdater - Begin database maintenance. 1256881 [main] ERROR org.owasp.dependencycheck.data.nvdcve.CveDB - An unexpected SQL Exception occurred; please see the verbose log for more details. 1256881 [main] DEBUG org.owasp.dependencycheck.data.nvdcve.CveDB - org.postgresql.util.PSQLException: ERROR: column "u" of relation "cpeentry" does not exist

** Version of dependency-check used ** The problem occurs using version 5.0.0-M1 of the the maven plugin

** Log file ** https://gist.github.com/mhuijgen/b15f2d2df7f4c2f6bf1768b1198a83de

To Reproduce Steps to reproduce the behavior:

  1. initialize a new postgresql database
  2. run the update-only task via maven
  3. databasse maintenance fails

Expected behavior No SQL failures.

closed time in a day

mhuijgen

issue closedjeremylong/DependencyCheck

Message: org.xml.sax.SAXException: Error updating 'CVE-2010-0001'

I'm using the Jenkins plugin "Invoke OWASP Dependency-Check analysis" which is using dependency-check v4.0.2. When running a dependency check scan against a PHP project, it returned an error as per link below :

https://gist.github.com/aidanadia/e948d9593e8716d32053f60438619b66

Is there anything that I can do to fix this error?

closed time in a day

aidanadia

issue closedjeremylong/DependencyCheck

Shell can consume wildcards in scan directories, resulting in hard-to-debug results

Describe the bug The README states that wildcards can be used with the --scan argument, if these are consumed by the shell (e.g. by forgetting to escape them or using quotes/apostrophes), DependencyCheck fails quietly by using only the first filename and silently ignoring all the others. Debugging this is not easy and consumes quite some time.

Version of dependency-check used The problem occurs using version 4.0.2 of the CLI

Log file https://gist.github.com/dnet/c6de267743c7829691fbd9705437e23d

To Reproduce Steps to reproduce the behavior:

  1. Start CLI by using unescaped wildcards in the --scan argument
  2. Be amazed that it produced an empty/small report very quickly

Expected behavior Either

  • use all paths enumerated by the shell after --scan or
  • alert the user that something's off and what would've happened is probably not what the user expected

Additional context It happened right when I first used DependencyCheck which made debugging it a bit harder since I couldn't be sure whether it was expected behavior, whether the dependencies really were bug-free (they weren't), or whether I just misunderstood the documentation.

closed time in a day

dnet

issue closedjeremylong/DependencyCheck

Can i use DependencyCheck to scan pom files only?

Hi,

I'm looking to analyze the pom files as they contain the dependencies without providing the entire source of a project or building anything, is that possible?

closed time in a day

JStyle21

issue closedjeremylong/DependencyCheck

Initial download took 6 hours - where can I obtain debug/logs?

Hi, I'm running this on OpenShift, deploying via helm charts. Using v5.3.2 and a separate postgresql database accessed via K8s service, it took ~6hrs to perform a database load from scratch. I checked CPU and RAM for both dependency check and postgres, majority or time CPU idle for both was >70% and RAM always appeared to have a large cache quantity as well as unused.

Dep Check has 3CPU and 4GB RAM Postgresql has 4CPU and 4GB RAM

I'd like to try and do some root cause analysis, but can't find any documentation on this. Thanks in advance, Matt.

Log of duration: image

File sizes during download/process etc: image

closed time in a day

namloc2001

issue closedjeremylong/DependencyCheck

gradle-plugin does not create XML report

Hi all,

I use 'org.owasp:dependency-check-gradle:5.3.2' gradle 4.1 and I add in build.gradle:

dependencyCheck {
    autoUpdate=false
    cveValidForHours=1
    format='XML'
}

I also tried format='ALL'.

When I use the command locally: /gradlew dependencyCheckAnalyze -Ddownloader.quick.query.timestamp=false -Pformat=XML or /gradlew dependencyCheckAnalyze I take only an html report in build/reports folder. Does anyone know how could I create an XML report?

Thanks!

closed time in a day

aristasi

issue closedjeremylong/DependencyCheck

Unable to connect dependency-check database

Describe the bug Unable to connect to NVD database

Version of dependency-check used The problem occurs using version X.X.X of the 5.3.2 (cli, gradle plugin, maven plugin, etc.)

Log file image

To Reproduce Steps to reproduce the behavior:

  1. Go to '...'
  2. Click on '....'
  3. Scroll down to '....'
  4. See error

Expected behavior If I connect to NVD database scan should become success

Additional context Add any other context about the problem here.

closed time in a day

Trojans-dev

issue closedjeremylong/DependencyCheck

When will .NET (dotnet) Core 3.1 support be released?

When will the code committed in PR #2574 to solve issues #2155 & #1464 be released? The original comments suggested that this would be released in v3.4 but it now looks like we're waiting for v6?

closed time in a day

stevehipwell

issue closedjeremylong/DependencyCheck

run the mvn compile, the result is failed

the code branch is "main".

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0-M3:enforce (enforce-classfileformat) on project dependency-check-core: Some Enforcer rules have failed. Look above for specific messages explaining why the rule failed. -> [Help 1] org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0-M3:enforce (enforce-classfileformat) on project dependency-check-core: Some Enforcer rules have failed. Look above for specific messages explaining why the rule failed. at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288) at org.apache.maven.cli.MavenCli.main (MavenCli.java:192) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:566) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:289) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:229) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:415) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:356) Caused by: org.apache.maven.plugin.MojoExecutionException: Some Enforcer rules have failed. Look above for specific messages explaining why the rule failed. at org.apache.maven.plugins.enforcer.EnforceMojo.execute (EnforceMojo.java:260) at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288) at org.apache.maven.cli.MavenCli.main (MavenCli.java:192) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:566) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:289) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:229) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:415) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:356) [ERROR] [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException [ERROR] [ERROR] After correcting the problems, you can resume the build with the command [ERROR] mvn <goals> -rf :dependency-check-core

closed time in a day

mendickxiao

issue commentjeremylong/DependencyCheck

maven plugin config ignored

How are you invoking dependency-check? Where is the plugin configuration located in the pom?

delanym

comment created time in a day

pull request commentjeremylong/DependencyCheck

Bump mailapi from 1.6.5 to 2.0.0

Even after updating the import statements for the updated Jakarta mail APi we are seeing the below stack trace. Looks like at least one test dependency (mockserver) is using (transitively) the older version of the mail API. We will have to wait until the mail api is bumped in other projects.

[ERROR] 51683 exception caught by class org.mockserver.netty.MockServer handler -> closing pipeline [id: 0x70e34821, L:/127.0.0.1:51683 - R:/127.0.0.1:51714]
java.lang.NoClassDefFoundError: Could not initialize class com.github.fge.jsonschema.cfg.ValidationConfigurationBuilder
	at com.github.fge.jsonschema.cfg.ValidationConfiguration.newBuilder(ValidationConfiguration.java:97)
	at com.github.fge.jsonschema.cfg.ValidationConfiguration.byDefault(ValidationConfiguration.java:107)
	at com.github.fge.jsonschema.main.JsonSchemaFactoryBuilder.<init>(JsonSchemaFactoryBuilder.java:68)
	at com.github.fge.jsonschema.main.JsonSchemaFactory.newBuilder(JsonSchemaFactory.java:123)
	at com.github.fge.jsonschema.main.JsonSchemaFactory.byDefault(JsonSchemaFactory.java:113)
	at org.mockserver.validator.jsonschema.JsonSchemaValidator.<init>(JsonSchemaValidator.java:39)
	at org.mockserver.validator.jsonschema.JsonSchemaExpectationValidator.<init>(JsonSchemaExpectationValidator.java:11)
	at org.mockserver.validator.jsonschema.JsonSchemaExpectationValidator.jsonSchemaExpectationValidator(JsonSchemaExpectationValidator.java:42)
	at org.mockserver.serialization.ExpectationSerializer.getValidator(ExpectationSerializer.java:54)
	at org.mockserver.serialization.ExpectationSerializer.deserialize(ExpectationSerializer.java:114)
	at org.mockserver.serialization.ExpectationSerializer.deserializeArray(ExpectationSerializer.java:171)
	at org.mockserver.mock.HttpState.handle(HttpState.java:527)
	at org.mockserver.netty.HttpRequestHandler.channelRead0(HttpRequestHandler.java:92)
	at org.mockserver.netty.HttpRequestHandler.channelRead0(HttpRequestHandler.java:48)
	at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:99)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
	at io.netty.channel.CombinedChannelDuplexHandler$DelegatingChannelHandlerContext.fireChannelRead(CombinedChannelDuplexHandler.java:436)
	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103)
	at io.netty.channel.CombinedChannelDuplexHandler.channelRead(CombinedChannelDuplexHandler.java:251)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
	at org.mockserver.dashboard.DashboardWebSocketHandler.channelRead(DashboardWebSocketHandler.java:141)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
	at org.mockserver.closurecallback.websocketregistry.CallbackWebSocketServerHandler.channelRead(CallbackWebSocketServerHandler.java:55)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
	at io.netty.channel.CombinedChannelDuplexHandler$DelegatingChannelHandlerContext.fireChannelRead(CombinedChannelDuplexHandler.java:436)
	at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:324)
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:296)
	at io.netty.channel.CombinedChannelDuplexHandler.channelRead(CombinedChannelDuplexHandler.java:251)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
	at org.mockserver.netty.unification.PortUnificationHandler.switchToHttp(PortUnificationHandler.java:260)
	at org.mockserver.netty.unification.PortUnificationHandler.decode(PortUnificationHandler.java:138)
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501)
	at io.netty.handler.codec.ReplayingDecoder.callDecode(ReplayingDecoder.java:366)
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at java.lang.Thread.run(Thread.java:748)
dependabot[bot]

comment created time in a day

push eventjeremylong/DependencyCheck

Jeremy Long

commit sha 5050aea9d54f161efdf57250bf714c64bac798f6

Add completion for `dependency-check.sh` (#2916) * add completion for dependency-check

view details

push time in a day

PR merged jeremylong/DependencyCheck

Add completion for `dependency-check.sh` cli

Add script for completion for dependency-check.sh so we can more easily select the correct arguments. After installing completion-for-dependency-check.sh (using source completion-for-dependency-check.sh) we can list the arguments using <tab><tab>. The following example lists all of the --disable* arguments:

$ ./dependency-check.sh --disable<tab><tab>
--disableArchive                      --disableCocoapodsAnalyzer            --disableNodeAuditCache               --disablePip
--disableAssembly                     --disableComposer                     --disableNodeJS                       --disablePipfile
--disableAutoconf                     --disableGolangDep                    --disableNugetconf                    --disablePyDist
--disableBundleAudit                  --disableGolangMod                    --disableNuspec                       --disablePyPkg
--disableCentral                      --disableJar                          --disableOpenSSL                      --disableRetireJS
--disableCentralCache                 --disableMixAudit                     --disableOssIndex                     --disableRubygems
--disableCmake                        --disableNodeAudit                    --disableOssIndexCache                --disableSwiftPackageManagerAnalyzer

Consider adding source <path>/completion-for-dependency-check.sh to your .bashrc if you use ODC a lot.

+141 -0

0 comment

2 changed files

jeremylong

pr closed time in a day

issue closedjeremylong/DependencyCheck

Dependency check fails with error message "Archive file was not found"

I recently integrated the plugin into the Gradle build. The dependency check is run as one of the steps in our CI build pipeline.

Reporting Bugs/Errors

Intermittently, I am encountering the following issue:

[11:48:42][Gradle failure report] Caused by: org.gradle.api.GradleException: One or more exceptions occurred during analysis
[11:48:42][Gradle failure report] 	at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.analyze(AbstractAnalyze.groovy:111)
[11:48:42][Gradle failure report] 	at org.gradle.internal.reflect.JavaMethod.invoke(JavaMethod.java:73)
[11:48:42][Gradle failure report] 	at org.gradle.api.internal.project.taskfactory.StandardTaskAction.doExecute(StandardTaskAction.java:46)
[11:48:42][Gradle failure report] 	at org.gradle.api.internal.project.taskfactory.StandardTaskAction.execute(StandardTaskAction.java:39)
[11:48:42][Gradle failure report] 	at org.gradle.api.internal.project.taskfactory.StandardTaskAction.execute(StandardTaskAction.java:26)
[11:48:42][Gradle failure report] 	at org.gradle.api.internal.AbstractTask$TaskActionWrapper.execute(AbstractTask.java:788)
[11:48:42][Gradle failure report] 	at org.gradle.api.internal.AbstractTask$TaskActionWrapper.execute(AbstractTask.java:755)
[11:48:42][Gradle failure report] 	at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter$1.run(ExecuteActionsTaskExecuter.java:124)
[11:48:42][Gradle failure report] 	at org.gradle.internal.progress.DefaultBuildOperationExecutor$RunnableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:336)
[11:48:42][Gradle failure report] 	at org.gradle.internal.progress.DefaultBuildOperationExecutor$RunnableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:328)
[11:48:42][Gradle failure report] 	at org.gradle.internal.progress.DefaultBuildOperationExecutor.execute(DefaultBuildOperationExecutor.java:199)
[11:48:42][Gradle failure report] 	at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:110)
[11:48:42][Gradle failure report] 	at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeAction(ExecuteActionsTaskExecuter.java:113)
[11:48:42][Gradle failure report] 	at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeActions(ExecuteActionsTaskExecuter.java:95)
[11:48:42][Gradle failure report] 	... 32 more
[11:48:42][Gradle failure report] Caused by: org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions occurred during dependency-check analysis
[11:48:42][Gradle failure report] 	Archive file was not found.
[11:48:42][Gradle failure report] 	at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:693)
[11:48:42][Gradle failure report] 	at org.owasp.dependencycheck.Engine$analyzeDependencies$1.call(Unknown Source)
[11:48:42][Gradle failure report] 	at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.analyze(AbstractAnalyze.groovy:78)
[11:48:42][Gradle failure report] 	... 45 more

Could you please give me hint on what the underlying issue might be? I saw that there also was an issue with connection to the database earlier. Could this potentially be an issue with concurrency?

Caused by: org.owasp.dependencycheck.exception.ExceptionCollection: Unable to continue dependency-check analysis.
Unable to connect to the database

closed time in 2 days

bmuschko

issue commentjeremylong/DependencyCheck

org.h2.jdbc.JdbcSQLNonTransientException: The database is write protected

No - I have no idea why you are getting the error as I don't know what your code is doing. Consider comparing your code to things like the dependency-check scan agent or the maven plugin.

jpstotz

comment created time in 2 days

issue closedjeremylong/DependencyCheck

Invalid Maven Identifiers in Reports

Reporting Bugs/Errors

The XML report contains an identifiers node. For Maven dependencies, a Maven identifier is generated. In some cases, the identifier generated violates the Maven specification.

Example

The following dependency will create an invalid Maven identifier in the resulting XML report.

<dependency>
    <groupId>org.fusesource.jansi</groupId>
    <artifactId>jansi-linux64</artifactId>
    <version>1.7</version>
</dependency>

This dependency will create the following Maven identifiers:

<identifier type="maven" confidence="HIGH">
    <name>org.fusesource.jansi:jansi-${platform}:1.7</name>
</identifier>
<identifier type="maven" confidence="HIGHEST">
    <name>org.fusesource.jansi:jansi-linux64:1.7</name>
</identifier>

The first identifier (confidence HIGH) contains characters not allowed in Maven groupId or artifactId fields. As of Maven 2 (possibly earlier), the groupId and artifactId must match the following regex:

[A-Za-z0-9_\\-.]+

Source: https://github.com/apache/maven/blob/master/maven-model-builder/src/main/java/org/apache/maven/model/validation/DefaultModelValidator.java#L76

POM To Reproduce: pom.xml.zip

closed time in 2 days

stevespringett

push eventjeremylong/DependencyCheck

Jeremy Long

commit sha ddfcf1a5f49153d2bbe65c3bba7f052736ca4c8f

updated per #1393

view details

push time in 2 days

issue closedjeremylong/DependencyCheck

Expected positive CVE id CVE-2017-8046

Hi,

A positive identification of CVE-2017-8046 is expected from dependency:

<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-data-rest</artifactId>
  <version>1.5.2.RELEASE</version>
</dependency>

Note that the CVE is reported with a fixed version of spring-boot-starter-data-rest:

<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-data-rest</artifactId>
  <version>2.0.0.RELEASE</version>
</dependency>

closed time in 2 days

mjeanroy

issue commentjeremylong/DependencyCheck

Expected positive CVE id CVE-2017-8046

issue has been resolved.

mjeanroy

comment created time in 2 days

issue closedjeremylong/DependencyCheck

Detecting vulnerable Spring Data Rest dependency - CVE-2017-8046

Hi,

I was interested to know whether if Dependecy Check would pick up vulnerable libraries like these ones that are already included in the NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-8046

I am surprised though that it has not been flagged as an issue in the report:

data-rest-0.0.1-SNAPSHOT.jar: spring-data-rest-core-2.6.1.RELEASE.jar org.springframework.data:spring-data-rest-core:2.6.1.RELEASE 0
data-rest-0.0.1-SNAPSHOT.jar: spring-data-rest-webmvc-2.6.1.RELEASE.jar org.springframework.data:spring-data-rest-webmvc:2.6.1.RELEASE 0

Is this the expected behaviour? Is my assumption that this is already included in the NVD database incorrect?

Thanks!

closed time in 2 days

pealtrufo

issue commentjeremylong/DependencyCheck

Detecting vulnerable Spring Data Rest dependency - CVE-2017-8046

this is fixed in the latest version.

pealtrufo

comment created time in 2 days

issue closedjeremylong/DependencyCheck

jackson-databind False Negative

False negative on library

<dependency>
    <groupId>com.fasterxml.jackson.core</groupId>
    <artifactId>jackson-databind</artifactId>
    <version>2.9.2</version>
</dependency>

the CVE-2018-5968 affect version 2.8.11 and 2.9.x through 2.9.3

closed time in 2 days

stboissdev

issue commentjeremylong/DependencyCheck

jackson-databind False Negative

This was resolved with 6.x

stboissdev

comment created time in 2 days

issue closedjeremylong/DependencyCheck

NodePackageAnalyzer is confused by package-lock.json

Version: 3.1.1

Line 187, I didn't dig too much, but the issue is here, the tool tries to get a name but the package-lock.json does not have one.

try (JsonReader jsonReader = Json.createReader(FileUtils.openInputStream(dependencyFile))) { final JsonObject json = jsonReader.readObject(); final String parentName = json.getString("name"); final String parentVersion = json.getString("version"); final String parentPackage = String.format("%s:%s", parentName, parentVersion); processDependencies(json, baseDir, dependencyFile, parentPackage, engine); } catch (JsonException e) { LOGGER.warn("Failed to parse package.json file.", e); } catch (IOException e) { throw new AnalysisException("Problem occurred while reading dependency file.", e); }

Log: https://gist.github.com/migounette/fea9bcb88df8000f01e3bb614df5d4ac

It's a project that uses maven front end plugin, npm version 5.x and nodejs 8.9.x

bash-4.2$ ls -l /var/lib/jenkins/workspace/SEE-OWASP/specs/ total 120 drwxr-xr-x. 2 jenkins jenkins 6 Feb 28 17:54 etc drwxr-xr-x. 3 jenkins jenkins 36 Feb 28 17:54 node drwxr-xr-x. 186 jenkins jenkins 8192 Feb 28 17:55 node_modules -rw-r--r--. 1 jenkins jenkins 53734 Feb 28 17:55 package-lock.json -rw-r--r--. 1 jenkins jenkins 8298 Feb 28 17:52 pom.xml -rw-r--r--. 1 jenkins jenkins 1595 Feb 28 17:52 rpm-build.mustache drwxr-xr-x. 2 jenkins jenkins 25 Feb 28 17:55 target

Java command line executed:

/bin/java -Xdebug -Xrunjdwp:server=y,transport=dt_socket,address=8001,suspend=n -classpath '/home/jenkins/dependency-check/plugins/*:/home/jenkins/dependency-check/repo/commons-cli/commons-cli/1.4/commons-cli-1.4.jar:/home/jenkins/dependency-check/repo/org/owasp/dependency-check-core/3.1.1/dependency-check-core-3.1.1.jar:/home/jenkins/dependency-check/repo/com/vdurmont/semver4j/2.1.0/semver4j-2.1.0.jar:/home/jenkins/dependency-check/repo/joda-time/joda-time/1.6/joda-time-1.6.jar:/home/jenkins/dependency-check/repo/org/apache/commons/commons-compress/1.15/commons-compress-1.15.jar:/home/jenkins/dependency-check/repo/org/objenesis/objenesis/2.6/objenesis-2.6.jar:/home/jenkins/dependency-check/repo/commons-io/commons-io/2.6/commons-io-2.6.jar:/home/jenkins/dependency-check/repo/org/apache/commons/commons-lang3/3.4/commons-lang3-3.4.jar:/home/jenkins/dependency-check/repo/org/apache/lucene/lucene-core/5.5.5/lucene-core-5.5.5.jar:/home/jenkins/dependency-check/repo/org/apache/lucene/lucene-analyzers-common/5.5.5/lucene-analyzers-common-5.5.5.jar:/home/jenkins/dependency-check/repo/org/apache/lucene/lucene-queryparser/5.5.5/lucene-queryparser-5.5.5.jar:/home/jenkins/dependency-check/repo/org/apache/lucene/lucene-queries/5.5.5/lucene-queries-5.5.5.jar:/home/jenkins/dependency-check/repo/org/apache/lucene/lucene-sandbox/5.5.5/lucene-sandbox-5.5.5.jar:/home/jenkins/dependency-check/repo/org/apache/velocity/velocity/1.7/velocity-1.7.jar:/home/jenkins/dependency-check/repo/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.jar:/home/jenkins/dependency-check/repo/commons-lang/commons-lang/2.4/commons-lang-2.4.jar:/home/jenkins/dependency-check/repo/com/h2database/h2/1.4.196/h2-1.4.196.jar:/home/jenkins/dependency-check/repo/org/glassfish/javax.json/1.0.4/javax.json-1.0.4.jar:/home/jenkins/dependency-check/repo/org/jsoup/jsoup/1.11.2/jsoup-1.11.2.jar:/home/jenkins/dependency-check/repo/com/sun/mail/mailapi/1.6.0/mailapi-1.6.0.jar:/home/jenkins/dependency-check/repo/com/google/code/gson/gson/2.8.2/gson-2.8.2.jar:/home/jenkins/dependency-check/repo/org/owasp/dependency-check-utils/3.1.1/dependency-check-utils-3.1.1.jar:/home/jenkins/dependency-check/repo/org/slf4j/slf4j-api/1.7.25/slf4j-api-1.7.25.jar:/home/jenkins/dependency-check/repo/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar:/home/jenkins/dependency-check/repo/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar:/home/jenkins/dependency-check/repo/org/apache/ant/ant/1.9.9/ant-1.9.9.jar:/home/jenkins/dependency-check/repo/org/owasp/dependency-check-cli/3.1.1/dependency-check-cli-3.1.1.jar' -Dapp.name=dependency-check -Dapp.pid=16718 -Dapp.repo=/home/jenkins/dependency-check/repo -Dapp.home=/home/jenkins/dependency-check -Dbasedir=/home/jenkins/dependency-check org.owasp.dependencycheck.App --project SEE-OWASP --scan /var/lib/jenkins/workspace/SEE-OWASP --out /var/lib/jenkins/workspace/SEE-OWASP --format HTML --noupdate --data /home/jenkins/nvdUpdates --disableCentral --proxyserver myweb-proxy-replaced.com --proxyport 8080

closed time in 2 days

migounette

issue commentjeremylong/DependencyCheck

NodePackageAnalyzer is confused by package-lock.json

I believe this was resolved.

migounette

comment created time in 2 days

issue commentjeremylong/DependencyCheck

Dependency check fails with error message "Archive file was not found"

Circling back to really old issues - a lot of changes have been made since this was reported. Is this still an issue?

bmuschko

comment created time in 2 days

issue closedjeremylong/DependencyCheck

Possible DriverLoader.load(className, pathToDriver) issue

According to the javadoc:

@param pathToDriver the path to the JAR file containing the driver; note, this can be a semi-colon separated list of paths

However in the code pathToDriver is being splitted using File.pathSeparator which I think is wrong and could cause really weird errors (URLClassLoader is including any file from the root path)

final String[] paths = pathToDriver.split(File.pathSeparator);

closed time in 2 days

anderruiz

issue commentjeremylong/DependencyCheck

Possible DriverLoader.load(className, pathToDriver) issue

Going back to review this I don't think this is an issue because while yes ODC does split the provided paths - however, it converts each part into a URI and re-combines them:

https://github.com/jeremylong/DependencyCheck/blob/78cca2d0a5fcc57f0fe6d8efabcbca35b85577c5/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java#L134

anderruiz

comment created time in 2 days

issue closedjeremylong/DependencyCheck

.NET False Negative

Please see the google group for the details on the false negative.

closed time in 2 days

jeremylong

issue commentjeremylong/DependencyCheck

.NET False Negative

OSS Index does flag the issue.

jeremylong

comment created time in 2 days

issue closedjeremylong/DependencyCheck

Android Analysis Failure

From the google group an analysis failure was identified with a reproducible test case:

export ANDROID_HOME=$HOME/android-sdk  # Adjust path if needed. On Windows, use “set” instead of “export”.
# if you don't have Android SDK, you can download it from https://developer.android.com/studio/index.html#command-tools (on any platform) or via the following command (on Linux and MacOS)
(mkdir $ANDROID_HOME && cd $ANDROID_HOME && wget "https://dl.google.com/android/repository/sdk-tools-$(uname  | tr '[:upper:]' '[:lower:]')-3859397.zip" -O sdk.zip && unzip sdk.zip && rm sdk.zip)
# Now, accept all licenses unless you have done so
$ANDROID_HOME/tools/bin/sdkmanager --licenses

git clone https://github.com/v6ak/dependency-check-gradle-android-crash-sample
cd dependency-check-gradle-android-crash-sample
# The build.gradle has disabled autoupdate, but in clean environment, you have to enable it.
# You can use gradle 4.1 instead of gradlew.
./gradlew --stacktrace --info dependencyCheckAnalyze

closed time in 2 days

jeremylong

issue closedjeremylong/DependencyCheck

A required class was missing while executing org.owasp:dependency-check-maven:1.4.5:check: org/joda/time/ReadableInstant

Using dependency-check-maven:1.4.5, when i launch mvn dependency-check:check i got an exception : A required class was missing while executing org.owasp:dependency-check-maven:1.4.5:check: org/joda/time/ReadableInstant

Reporting Bugs/Errors

https://gist.github.com/asicfr/6384a069ab589294a349403cc27e9db7

Thx

closed time in 2 days

asicfr

issue closedjeremylong/DependencyCheck

Error in reading/parsing stream from golang projects

Describe the bug

Dependency checker tool is throwing below errors during the analysis for golang project. Below are the last lines. [INFO] Starting analyzing the json dependency report at : <path>/dependency-check-report.json [ERROR] Error reading stream [ERROR] Error reading stream [ERROR] Error parsing stream

Version of dependency-check used 6.0.2

Log file

In the dependency checker html file, we see below analysis exceptions. Apart from the ERROR stated above, there are no further errors seen in the dependency checker execution log.

Error - 1 : Error reading stream exception: org.owasp.dependencycheck.analyzer.exception.AnalysisException: Error reading stream org.owasp.dependencycheck.data.golang.GoModJsonParser.process(GoModJsonParser.java:85) org.owasp.dependencycheck.analyzer.GolangModAnalyzer.analyzeDependency(GolangModAnalyzer.java:310) org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131) org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88) org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37) java.util.concurrent.FutureTask.run(FutureTask.java:266) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) java.lang.Thread.run(Thread.java:748) Cannot auto-detect encoding, not enough chars cause: javax.json.JsonException: Cannot auto-detect encoding, not enough chars org.glassfish.json.UnicodeDetectingInputStream.detectEncoding(UnicodeDetectingInputStream.java:130) org.glassfish.json.UnicodeDetectingInputStream.<init>(UnicodeDetectingInputStream.java:75) org.glassfish.json.JsonParserImpl.<init>(JsonParserImpl.java:95) org.glassfish.json.JsonReaderImpl.<init>(JsonReaderImpl.java:73) org.glassfish.json.JsonProviderImpl.createReader(JsonProviderImpl.java:136) javax.json.Json.createReader(Json.java:225) org.owasp.dependencycheck.data.golang.GoModJsonParser.process(GoModJsonParser.java:71) org.owasp.dependencycheck.analyzer.GolangModAnalyzer.analyzeDependency(GolangModAnalyzer.java:310) org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131) org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88) org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37) java.util.concurrent.FutureTask.run(FutureTask.java:266) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) java.lang.Thread.run(Thread.java:748)

Error - 2 : Error reading stream exception: org.owasp.dependencycheck.analyzer.exception.AnalysisException: Error reading stream org.owasp.dependencycheck.data.golang.GoModJsonParser.process(GoModJsonParser.java:85) org.owasp.dependencycheck.analyzer.GolangModAnalyzer.analyzeDependency(GolangModAnalyzer.java:310) org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131) org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88) org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37) java.util.concurrent.FutureTask.run(FutureTask.java:266) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) java.lang.Thread.run(Thread.java:748) Cannot auto-detect encoding, not enough chars cause: javax.json.JsonException: Cannot auto-detect encoding, not enough chars org.glassfish.json.UnicodeDetectingInputStream.detectEncoding(UnicodeDetectingInputStream.java:130) org.glassfish.json.UnicodeDetectingInputStream.<init>(UnicodeDetectingInputStream.java:75) org.glassfish.json.JsonParserImpl.<init>(JsonParserImpl.java:95) org.glassfish.json.JsonReaderImpl.<init>(JsonReaderImpl.java:73) org.glassfish.json.JsonProviderImpl.createReader(JsonProviderImpl.java:136) javax.json.Json.createReader(Json.java:225) org.owasp.dependencycheck.data.golang.GoModJsonParser.process(GoModJsonParser.java:71) org.owasp.dependencycheck.analyzer.GolangModAnalyzer.analyzeDependency(GolangModAnalyzer.java:310) org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131) org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88) org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37) java.util.concurrent.FutureTask.run(FutureTask.java:266) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) java.lang.Thread.run(Thread.java:748) Error - 3 : Error parsing stream exception: org.owasp.dependencycheck.analyzer.exception.AnalysisException: Error parsing stream org.owasp.dependencycheck.data.golang.GoModJsonParser.process(GoModJsonParser.java:83) org.owasp.dependencycheck.analyzer.GolangModAnalyzer.analyzeDependency(GolangModAnalyzer.java:310) org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131) org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88) org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37) java.util.concurrent.FutureTask.run(FutureTask.java:266) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) java.lang.Thread.run(Thread.java:748) Invalid token=COMMA at (line no=1058, column no=4, offset=35261). Expected tokens are: [STRING] cause: javax.json.stream.JsonParsingException: Invalid token=COMMA at (line no=1058, column no=4, offset=35261). Expected tokens are: [STRING] org.glassfish.json.JsonParserImpl.parsingException(JsonParserImpl.java:450) org.glassfish.json.JsonParserImpl.access$1100(JsonParserImpl.java:79) org.glassfish.json.JsonParserImpl$ObjectContext.getNextEvent(JsonParserImpl.java:511) org.glassfish.json.JsonParserImpl.next(JsonParserImpl.java:376) org.glassfish.json.JsonParserImpl.getObject(JsonParserImpl.java:335) org.glassfish.json.JsonParserImpl.getValue(JsonParserImpl.java:182) org.glassfish.json.JsonParserImpl.getArray(JsonParserImpl.java:328) org.glassfish.json.JsonParserImpl.getArray(JsonParserImpl.java:164) org.glassfish.json.JsonReaderImpl.readArray(JsonReaderImpl.java:129) org.owasp.dependencycheck.data.golang.GoModJsonParser.process(GoModJsonParser.java:72) org.owasp.dependencycheck.analyzer.GolangModAnalyzer.analyzeDependency(GolangModAnalyzer.java:310) org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131) org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88) org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37) java.util.concurrent.FutureTask.run(FutureTask.java:266) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) java.lang.Thread.run(Thread.java:748)

Expected behavior

Report should be clean without any analysis errors.

closed time in 2 days

Anshu2405

issue commentjeremylong/DependencyCheck

Error in reading/parsing stream from golang projects

So the warnings line was enough to resolve the issue.

Anshu2405

comment created time in 2 days

issue closedjeremylong/DependencyCheck

Dependency check report not being published

I have a Jenkins pipeline script that successfully generates the reports from dependency check however the dependencyCheckPublisher step doesn't seem to do anything and I don't see the published report in the Jenkins UI. Any ideas why this may be as I don't see any errors in the output. Script:

node('nvd-analysis') {
        try {
            stage('Clone Repo')
            deleteDir()
            checkout(GET_CODE)
            
            stage('Copy Archived NVD')
            copyArtifacts fingerprintArtifacts: true, projectName: 'Dependency-Check-NVD-Update', selector: lastSuccessful()
            
            stage('Analyse') 
            container('gradle') {
                sh 'cd src && gradle dependencyCheckAnalyze'
            }
            
            stage('Publish Analysis') 
            dependencyCheckPublisher()
            currentBuild.result = 'SUCCESS'
            
        } catch (e) {
            sh('echo CAUGHT EXCEPTION')
            currentBuild.result = 'FAILURE'
            throw e
        } finally {
            sh('echo PROCESSING FINALLY')
            notifyBuild(currentBuild)
            archiveArtifacts 'src/build/reports/*'
        }
    }

As I said this successfully produces all the reports but the publisher doesn't seem to do anything and no errors reported. Here is the output:

> BUILD SUCCESSFUL in 2m 18s
> 1 actionable task: 1 executed
> [Pipeline] }
> [Pipeline] // container
> [Pipeline] stage (Publish Analysis)
> Using the ‘stage’ step without a block argument is deprecated
> Entering stage Publish Analysis
> Proceeding
> [Pipeline] dependencyCheckPublisher
> [DependencyCheck] Collecting Dependency-Check artifact
> [Pipeline] sh
> + echo PROCESSING FINALLY
> PROCESSING FINALLY
> [Pipeline] echo
> SUCCESS to SUCCESS
> [Pipeline] echo
> Notification not necessary
> [Pipeline] archiveArtifacts
> Archiving artifacts
> [Pipeline] }
> [Pipeline] // node
> [Pipeline] }
> [Pipeline] // podTemplate
> [Pipeline] End of Pipeline
> Finished: SUCCESS

closed time in 2 days

jroberts07

issue closedjeremylong/DependencyCheck

False positive on library affinity-3.1.1.jar - reported as cpe:/a:thread_project:thread:3.1.1

False positive on library affinity-3.1.1.jar - reported as cpe:/a:thread_project:thread:3.1.1

<dependency>
   <groupId>net.openhft</groupId>
   <artifactId>affinity</artifactId>
   <version>3.1.1</version>
</dependency>

I'm wondering how ODC comes up with this CPE, as I don't find any evidence for vendor "thread_project" or product "thread" in the evicence list (except for the fact that "thread" is part of some product evidence, like the description "Java Thread Affinity library" in the pom.) I'd appreciate any insight into this to better understand how ODC works.

Thanks a lot!

closed time in 2 days

dldnhf

push eventjeremylong/DependencyCheck

Jeremy Long

commit sha 9d105e8995a4d9eaac3b437b888bc670aa764f10

fp per #1718

view details

push time in 2 days

push eventjeremylong/DependencyCheck

Jeremy Long

commit sha 49e276eb737eb80b313cb45fb8612c45863ca351

Update cli/src/main/resources/completion-for-dependency-check.sh

view details

push time in 2 days

Pull request review commentjeremylong/DependencyCheck

Add completion for `dependency-check.sh`

+#/usr/bin/env bash++pattern="^.*completion-for-dependency-check.sh$";+if [[ "$0" =~ $pattern ]]; then +    echo+    echo "To use completion for dependency-check you must run:"+    echo+    echo "         source completion-for-dependency-check.sh"+    echo+    exit+fi++_odc_completions()+{+    # Pointer to current completion word.+    local options="+            --advancedHelp+            --artifactoryApiToken+            --artifactoryBearerToken+            --artifactoryParallelAnalysis+            --artifactoryUseProxy+            --artifactoryUsername+            --bundleAudit+            --bundleAuditWorkingDirectory+        -c --connectiontimeout+            --connectionString+            --cveUrlBase+            --cveUrlModified+            --cveValidForHours+        -d --data+            --dbDriverName+            --dbDriverPath+            --dbPassword+            --dbUser+            --disableArchive+            --disableAssembly+            --disableAutoconf+            --disableBundleAudit+            --disableCentral+            --disableCentralCache+            --disableCmake+            --disableCocoapodsAnalyzer+            --disableComposer +            --disableGolangDep+            --disableGolangMod+            --disableJar+            --disableMixAudit+            --disableNodeAudit+            --disableNodeAuditCache+            --disableNodeJS+            --disableNugetconf+            --disableNuspec+            --disableOpenSSL+            --disableOssIndex+            --disableOssIndexCache+            --disablePip+            --disablePipfile+            --disablePyDist+            --disablePyPkg+            --disableRetireJS+            --disableRubygems+            --disableSwiftPackageManagerAnalyzer+            --dotnet+            --enableArtifactory+            --enableExperimental+            --enableNexus+            --enableRetired+            --exclude <pattern> +        -f --format <format> +            --failOnCVSS <score>+            --go+        -h --help +            --hints+            --junitFailOnCVSS <score> +        -l --log+        -n --noupdate                 +            --nexus <url>        +            --nexusPass <password>   +            --nexusUser <username>+            --nexusUsesProxy+            --nodeAuditSkipDevDependencies  +            --nonProxyHosts <list>    +        -o --out+            --ossIndexPassword <password>   +            --ossIndexUsername <username> +        -P --propertyfile+            --prettyPrint+            --project <name> +            --proxypass <pass>+            --proxyport <port>+            --proxyserver <server>+            --proxyuser <user> +            --purge+            --retirejsFilter <pattern>+            --retirejsFilterNonVulnerable+            --retireJsForceUpdate+            --retireJsUrl <url>+        -s --scan+            --suppression+            --symLink <depth>+            --updateonly+        -v --version+            --zipExtensions <extensions>      +    "+++    # Array variable storing the possible completions.+    COMPREPLY=()+    local cur=${COMP_WORDS[COMP_CWORD]}+    local prev="${COMP_WORDS[COMP_CWORD-1]}"+++    case "${prev}" in+        -s|--scan|-o|--out|-d|--data|--bundleAudit|--bundleAuditWorkingDirectory|--dbDriverPath|--dotnet|--go|-P|--propertyfile|--suppression|--hint|-l|--log)+            COMPREPLY=( $(compgen -f -o default -- ${cur}) )+            return 0+            ;;+        --artifactoryParallelAnalysis|--artifactoryUseProxy|--nexusUsesProxy)+            COMPREPLY=( $(compgen -W "true false" -- ${cur}) )+            return 0+            ;;+        -f|--format)+            COMPREPLY=( $(compgen -W "HTML XML CSV JSON JUNIT ALL" ${cur}) )+            return 0+            ;;+    esac+    if [[ "$cur" == -* ]] ; then+        # COMPREPLY=( $(compgen -W "$options" -- "$cur") )
jeremylong

comment created time in 2 days

PullRequestReviewEvent

issue closedjeremylong/DependencyCheck

org.h2.jdbc.JdbcSQLNonTransientException: The database is write protected

Describe the bug

When the update is triggered for an unknown reason h2 claims that the database is read-only and throws the exception: org.h2.jdbc.JdbcSQLNonTransientException: The database is write protected (the message text was originally in German, I translated it back to English). The full stack traces are included below.

As I don't configure the database location the db is created automatically at the default location (within the directory where the JAR file is located within the .m2 repository in the user home directory if I am not wrong?)

I use the following code to set-up the DependencyCheck engine:

		Settings settings = new Settings();
		settings.setBoolean(Settings.KEYS.ANALYZER_OSSINDEX_ENABLED, false);
		settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
		settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, false);
		settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, false);
		settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
		settings.setBoolean(Settings.KEYS.ANALYZER_ARTIFACTORY_ENABLED, false);
		settings.setBoolean(Settings.KEYS.ANALYZER_NUGETCONF_ENABLED, false);
		settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, false);
		settings.setBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, false);
		settings.setBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED, false);
		settings.setBoolean(Settings.KEYS.ANALYZER_FILE_NAME_ENABLED, false);
		settings.setInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, 24); 
		Engine engine = new Engine(settings);

Version of dependency-check used The problem occurs using version 6.0.2 of the dependency-check-core from Maven central (used in a Java Maven project)

Log file

org.owasp.dependencycheck.Engine - org.owasp.dependencycheck.data.nvdcve.DatabaseException: Unable to retrieve id for new vulnerability for 'CVE-2005-1513'
org.owasp.dependencycheck.data.update.exception.UpdateException: org.owasp.dependencycheck.data.nvdcve.DatabaseException: Unable to retrieve id for new vulnerability for 'CVE-2005-1513'
	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles(ProcessTask.java:156)
	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:113)
	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:40)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: org.owasp.dependencycheck.data.nvdcve.DatabaseException: Unable to retrieve id for new vulnerability for 'CVE-2005-1513'
	at org.owasp.dependencycheck.data.nvdcve.CveDB.updateOrInsertVulnerability(CveDB.java:1005)
	at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability(CveDB.java:834)
	at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.parse(NvdCveParser.java:101)
	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.importJSON(ProcessTask.java:139)
	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles(ProcessTask.java:152)
	... 6 common frames omitted
Caused by: org.h2.jdbc.JdbcSQLNonTransientException: The database is write protected
The database is read only; SQL statement:
DELETE FROM reference WHERE cveid = ? [90097-199]
	at org.h2.message.DbException.getJdbcSQLException(DbException.java:502)
	at org.h2.message.DbException.getJdbcSQLException(DbException.java:427)
	at org.h2.message.DbException.get(DbException.java:205)
	at org.h2.message.DbException.get(DbException.java:181)
	at org.h2.message.DbException.get(DbException.java:170)
	at org.h2.engine.Database.checkWritingAllowed(Database.java:2194)
	at org.h2.table.Table.checkWritingAllowed(Table.java:1223)
	at org.h2.engine.User.hasRight(User.java:114)
	at org.h2.engine.User.checkRight(User.java:100)
	at org.h2.command.dml.Delete.update(Delete.java:76)
	at org.h2.command.CommandContainer.update(CommandContainer.java:133)
	at org.h2.command.Command.executeUpdate(Command.java:267)
	at org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal(JdbcPreparedStatement.java:200)
	at org.h2.jdbc.JdbcPreparedStatement.executeUpdate(JdbcPreparedStatement.java:154)
	at org.owasp.dependencycheck.data.nvdcve.H2Functions.updateVulnerability(H2Functions.java:208)
	at jdk.internal.reflect.GeneratedMethodAccessor125.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.h2.engine.FunctionAlias$JavaMethod.getValue(FunctionAlias.java:460)
	at org.h2.expression.function.JavaFunction.getValue(JavaFunction.java:40)
	at org.h2.command.dml.Call.query(Call.java:64)
	at org.h2.command.CommandContainer.query(CommandContainer.java:145)
	at org.h2.command.Command.executeQuery(Command.java:202)
	at org.h2.jdbc.JdbcPreparedStatement.executeQuery(JdbcPreparedStatement.java:115)
	at org.owasp.dependencycheck.data.nvdcve.CveDB.updateOrInsertVulnerability(CveDB.java:1000)
	... 10 common frames omitted


To Reproduce

Unknown, I just use DependencyChecker. When the time based update occurs the exception is thrown.

Additional context OS: Windows 10 64bit Java: OpenJDK 11.0.8.10 DependencyChecker is used within a Maven project.

closed time in 2 days

jpstotz

issue closedjeremylong/DependencyCheck

maven plugin is crashing because of missing node files but they do not exist

Describe the bug

the build is crashing because of a missing package.lock or npm-shrinkwrap.lock file even when there is no package.json in the current project (maybe in a 3rd party dependency). DC is run on the parent and it has

                        <retireJsAnalyzerEnabled>false</retireJsAnalyzerEnabled>

so retirejs should not even run.

If the file is missing and it cannot continue, we need to know at least the artifact which is causing this.

Version of dependency-check used

The problem occurs using version 5.3.X of the maven plugin

Log file

build	08-Jul-2020 14:37:37	[ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.2:aggregate (default-cli) on project project-parent: One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during analysis:
build	08-Jul-2020 14:37:37	[ERROR] 	Missing package.lock or npm-shrinkwrap.lock file: Unable to scan a node project without a package-lock.json or npm-shrinkwrap.json.
build	08-Jul-2020 14:37:37	[ERROR] -> [Help 1]
build	08-Jul-2020 14:37:37	org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.owasp:dependency-check-maven:5.3.2:aggregate (default-cli) on project project-parent: One or more exceptions occurred during dependency-check analysis
build	08-Jul-2020 14:37:37	    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)
build	08-Jul-2020 14:37:37	    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
build	08-Jul-2020 14:37:37	    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
build	08-Jul-2020 14:37:37	    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
build	08-Jul-2020 14:37:37	    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
build	08-Jul-2020 14:37:37	    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
build	08-Jul-2020 14:37:37	    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
build	08-Jul-2020 14:37:37	    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
build	08-Jul-2020 14:37:37	    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
build	08-Jul-2020 14:37:37	    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
build	08-Jul-2020 14:37:37	    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957)
build	08-Jul-2020 14:37:37	    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289)
build	08-Jul-2020 14:37:37	    at org.apache.maven.cli.MavenCli.main (MavenCli.java:193)
build	08-Jul-2020 14:37:37	    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
build	08-Jul-2020 14:37:37	    at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
build	08-Jul-2020 14:37:37	    at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
build	08-Jul-2020 14:37:37	    at java.lang.reflect.Method.invoke (Method.java:498)
build	08-Jul-2020 14:37:37	    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
build	08-Jul-2020 14:37:37	    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
build	08-Jul-2020 14:37:37	    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
build	08-Jul-2020 14:37:37	    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
build	08-Jul-2020 14:37:37	Caused by: org.apache.maven.plugin.MojoExecutionException: One or more exceptions occurred during dependency-check analysis
build	08-Jul-2020 14:37:37	    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1589)
build	08-Jul-2020 14:37:37	    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:848)
build	08-Jul-2020 14:37:37	    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
build	08-Jul-2020 14:37:37	    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
build	08-Jul-2020 14:37:37	    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
build	08-Jul-2020 14:37:37	    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
build	08-Jul-2020 14:37:37	    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
build	08-Jul-2020 14:37:37	    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
build	08-Jul-2020 14:37:37	    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
build	08-Jul-2020 14:37:37	    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
build	08-Jul-2020 14:37:37	    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
build	08-Jul-2020 14:37:37	    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
build	08-Jul-2020 14:37:37	    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
build	08-Jul-2020 14:37:37	    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957)
build	08-Jul-2020 14:37:37	    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289)
build	08-Jul-2020 14:37:37	    at org.apache.maven.cli.MavenCli.main (MavenCli.java:193)
build	08-Jul-2020 14:37:37	    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
build	08-Jul-2020 14:37:37	    at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
build	08-Jul-2020 14:37:37	    at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
build	08-Jul-2020 14:37:37	    at java.lang.reflect.Method.invoke (Method.java:498)
build	08-Jul-2020 14:37:37	    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
build	08-Jul-2020 14:37:37	    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
build	08-Jul-2020 14:37:37	    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
build	08-Jul-2020 14:37:37	    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
build	08-Jul-2020 14:37:37	Caused by: org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions occurred during analysis:
build	08-Jul-2020 14:37:37		Missing package.lock or npm-shrinkwrap.lock file: Unable to scan a node project without a package-lock.json or npm-shrinkwrap.json.
build	08-Jul-2020 14:37:37	    at org.owasp.dependencycheck.Engine.analyzeDependencies (Engine.java:719)
build	08-Jul-2020 14:37:37	    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1557)
build	08-Jul-2020 14:37:37	    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:848)
build	08-Jul-2020 14:37:37	    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
build	08-Jul-2020 14:37:37	    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
build	08-Jul-2020 14:37:37	    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
build	08-Jul-2020 14:37:37	    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
build	08-Jul-2020 14:37:37	    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
build	08-Jul-2020 14:37:37	    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
build	08-Jul-2020 14:37:37	    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
build	08-Jul-2020 14:37:37	    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
build	08-Jul-2020 14:37:37	    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
build	08-Jul-2020 14:37:37	    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
build	08-Jul-2020 14:37:37	    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
build	08-Jul-2020 14:37:37	    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957)
build	08-Jul-2020 14:37:37	    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289)
build	08-Jul-2020 14:37:37	    at org.apache.maven.cli.MavenCli.main (MavenCli.java:193)
build	08-Jul-2020 14:37:37	    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
build	08-Jul-2020 14:37:37	    at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
build	08-Jul-2020 14:37:37	    at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
build	08-Jul-2020 14:37:37	    at java.lang.reflect.Method.invoke (Method.java:498)
build	08-Jul-2020 14:37:37	    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
build	08-Jul-2020 14:37:37	    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
build	08-Jul-2020 14:37:37	    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
build	08-Jul-2020 14:37:37	    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
build	08-Jul-2020 14:37:37	[ERROR] 
build	08-Jul-2020 14:37:37	[ERROR] Re-run Maven using the -X switch to enable full debug logging.
build	08-Jul-2020 14:37:37	[ERROR] 
build	08-Jul-2020 14:37:37	[ERROR] For more information about the errors and possible solutions, please read the following articles:
build	08-Jul-2020 14:37:37	[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

To Reproduce Steps to reproduce the behavior:

execute this on parent:

mvn dependency-check:check -Ddependency-check.skip=false -DfailBuildOnCVSS=7  -pl !example.project-parent:project-parent

Expected behavior A clear and concise description of what you expected to happen.

Additional context Add any other context about the problem here.

closed time in 2 days

fabianfrz

issue closedjeremylong/DependencyCheck

Dependency Check Execution stuck

WX20200426-215245

When I execute dependency check, I always get stuck in the picture

closed time in 2 days

bloodzer0

issue closedjeremylong/DependencyCheck

About the odc.mc.db's size in different system

Why the odc.mc.db's size has a large difference between Mac OS and centos? In centos,is has about 180MB. In Mac OS,is has about 430MB. What makes the difference?

closed time in 2 days

wjcIvan

push eventjeremylong/DependencyCheck

Jeremy Long

commit sha 1ab430904d49c277876a01a6cadb83bb501efc1d

updated per suggestion in #2614

view details

push time in 3 days

MemberEvent

issue closedjeremylong/DependencyCheck

Reporting False Positive Finding

False positive on library org.springframework.batch:spring-batch-core:3.0.10.RELEASE and org.springframework.batch:spring-batch-infrastructure:3.0.10.RELEASE - reported as

  • cpe:/a:pivotal_software:spring_framework:3.0.10
  • cpe:/a:pivotal_software:spring_batch:3.0.10
  • cpe:/a:pivotal:spring_framework:3.0.10
<dependency>
   <groupId>org.springframework.batch</groupId>
   <artifactId>spring-batch-core</artifactId>
   <version>3.0.10.RELEASE</version>
</dependency>
<dependency>
   <groupId>org.springframework.batch</groupId>
   <artifactId>spring-batch-infrastructure</artifactId>
   <version>3.0.10.RELEASE</version>
</dependency>

CVEs:

  • CVE-2016-9878
  • CVE-2018-1270
  • CVE-2018-1271
  • CVE-2018-1272

closed time in 3 days

mbayrak78

push eventjeremylong/DependencyCheck

Jeremy Long

commit sha 545538e110fb810a9c9eb4d7621467d89f62cb97

fp per #1721

view details

Jeremy Long

commit sha f83966e795b3a81c3cafabd047892c897ecb74c9

pull

view details

push time in 3 days

issue commentjeremylong/DependencyCheck

Bad error reporting

The InitializationException("Unexpected Exception") is then wrapped into the ExceptionCollection. The reason for the exception collection is that there may be multiple exceptions that occur - some fatal and some not that should be reported back. It's unfortunate that gradle limits the depth of the printed stack trace.

Vampire

comment created time in 3 days

issue closedjeremylong/DependencyCheck

NPE in Engine.

Describe the bug We run a ton of jenkins jobs in a dockered environment and part of the job is running dependency check ant.

We occasionally get NPEs as follows (altho most times it works fine).

/scratch/gbuacme/workspace/jenkins/workspace/Acme_Continuous/projects/devtasks/build.xml:398: java.lang.NullPointerException

[2019-09-24T10:43:44.244Z] at org.owasp.dependencycheck.Engine.writeReports(Engine.java:1247)

[2019-09-24T10:43:44.244Z] at org.owasp.dependencycheck.Engine.writeReports(Engine.java:1201)

[2019-09-24T10:43:44.244Z] at org.owasp.dependencycheck.taskdefs.Check.execute(Check.java:1543)

[2019-09-24T10:43:44.244Z] at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292)

[2019-09-24T10:43:44.244Z] at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)

[2019-09-24T10:43:44.244Z] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

[2019-09-24T10:43:44.244Z] at java.lang.reflect.Method.invoke(Method.java:498)

[2019-09-24T10:43:44.244Z] at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106)

[2019-09-24T10:43:44.244Z] at org.apache.tools.ant.Task.perform(Task.java:348)

[2019-09-24T10:43:44.244Z] at org.apache.tools.ant.Target.execute(Target.java:435)

[2019-09-24T10:43:44.244Z] at org.apache.tools.ant.Target.performTasks(Target.java:456)

[2019-09-24T10:43:44.244Z] at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1393)

[2019-09-24T10:43:44.244Z] at org.apache.tools.ant.Project.executeTarget(Project.java:1364)

[2019-09-24T10:43:44.244Z] at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)

[2019-09-24T10:43:44.244Z] at org.apache.tools.ant.Project.executeTargets(Project.java:1248)

[2019-09-24T10:43:44.244Z] at org.apache.tools.ant.Main.runBuild(Main.java:851)

[2019-09-24T10:43:44.244Z] at org.apache.tools.ant.Main.startAnt(Main.java:235)

[2019-09-24T10:43:44.244Z] at org.apache.tools.ant.launch.Launcher.run(Launcher.java:280)

[2019-09-24T10:43:44.244Z] at org.apache.tools.ant.launch.Launcher.main(Launcher.java:109)

** Version of dependency-check used ** 5.2.1 ** Log file ** I'll try to find the appropriate ones

To Reproduce

Expected behavior

Additional context

closed time in 3 days

mebigfatguy

push eventjeremylong/DependencyCheck

Hans Aikema

commit sha ffe393872bd59fa0526817ff705bdbb1dc728ff5

Don't continue processing when there was a fatal exception in analysis (#2917)

view details

push time in 3 days

PR merged jeremylong/DependencyCheck

Don't continue processing when there was a fatal exception in analysis ant

Fixes Issue #2212

Description of Change

Handle fatal analysis errors in Ant Check task similar to the other modules: skip the remaining processing steps. This avoids the NPE when writeReports wants to enumerate the database properties that is caused by the already closed (and nullified) database.

Seemed the safest approach to fix the NPE of #2212, but the discrepancy between the error message for update-errors and the actual behaviour of DependencyCheck remains.

Have test cases been added to cover the new functionality?

no

+10 -10

0 comment

1 changed file

aikebah

pr closed time in 3 days

push eventjeremylong/DependencyCheck

Hans Aikema

commit sha b1f842b76f860f19de66ca451ddd5e47fb3b0bf5

Suppress FP of #1749 (#2919)

view details

push time in 3 days

PR merged jeremylong/DependencyCheck

Suppress FP of #1749 core

Fixes Issue #1749

Description of Change

Suppress the false-positive by suppressing the incorrectly matched CPE

Have test cases been added to cover the new functionality?

no

+8 -0

0 comment

1 changed file

aikebah

pr closed time in 3 days

push eventjeremylong/DependencyCheck

Hans Aikema

commit sha 3606d0d8fe1625fefb0da473f21c6e6610bfd5a4

Suppress FP of #2435 (#2918)

view details

push time in 3 days

PR merged jeremylong/DependencyCheck

Suppress FP of #2435 core

Fixes Issue #2435

Description of Change

Add a suppression of the entirely unrelated cpe:a/delegate:delegate, which is a C-language application (Gateway/proxy)

Have test cases been added to cover the new functionality?

no

+2 -0

0 comment

1 changed file

aikebah

pr closed time in 3 days

issue closedjeremylong/DependencyCheck

False positive for io.dropwizard.logback:logback-throttling-appender:1.1.0

Describe the bug Seems to be a false positive reported for

io.dropwizard.logback:logback-throttling-appender:1.1.0
logback-throttling-appender-1.1.0.jar (pkg:maven/io.dropwizard.logback/logback-throttling-appender@1.1.0, cpe:2.3:a:logback:logback:1.1.0:*:*:*:*:*:*:*) : CVE-2017-5929

https://nvd.nist.gov/vuln/detail/CVE-2017-5929

My guess is the string logback:logback is matching and the version is less than the CVE.

Version of dependency-check used 5.3.0

Log file

> Task :dependencyCheckAggregate
Verifying dependencies for project foobar
Checking for updates and analyzing dependencies for vulnerabilities
----------------------------------------------------
.NET Assembly Analyzer could not be initialized and at least one 'exe' or 'dll' was scanned. The 'dotnet' executable could not be found on the path; either disable the Assembly Analyzer or configure the path dotnet core.
----------------------------------------------------
Generating report for project foobar
Found 1 vulnerabilities in project foobar

One or more dependencies were identified with known vulnerabilities in foobar:

logback-throttling-appender-1.1.0.jar (pkg:maven/io.dropwizard.logback/logback-throttling-appender@1.1.0, cpe:2.3:a:logback:logback:1.1.0:*:*:*:*:*:*:*) : CVE-2017-5929

See the dependency-check report for more details.

> Task :dependencyCheckAggregate FAILED

To Reproduce Steps to reproduce the behavior:

  1. Add Dropwizard 2 Logging as a dependency, io.dropwizard:dropwizard-logging:2.0.1
  2. Run check

Expected behavior Does not warn.

Additional context

closed time in 3 days

mtraynham

push eventjeremylong/DependencyCheck

Jeremy Long

commit sha 60e74e852a7b94b7eee507f9fec5c4634f9648c4

fix #2915

view details

push time in 3 days

issue closedjeremylong/DependencyCheck

junitFailOnCVSS Using CVSS v2 when Evaluating

Describe the bug When specifying the following parameters, the Junit report says the score is below 7 (however, the CVSS v3 score is 7.5, the CVSS v2 score is 5). When the Junit report includes the failed dependency the report uses the CVSS v3 score.

--junitFailOnCVSS 7

<testcase classname="CVE-2017-11770" name="pkg:nuget/Microsoft.FeatureManagement.AspNetCore@2.0.0"><skipped message="score below 7.0"/>

--junitFailOnCVSS 5

<testcase classname="CVE-2017-11770" name="pkg:nuget/Microsoft.FeatureManagement.AspNetCore@2.0.0"><failure message="cvssV3: HIGH, score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)"/>

https://nvd.nist.gov/vuln/detail/CVE-2017-11770

Version of dependency-check used command line 6.0.2

Expected behavior junitFailOnCVSS to evaluate the same score to as the report data.

closed time in 3 days

AndrewJWaite

push eventjeremylong/DependencyCheck

Jeremy Long

commit sha a6ad3fa5dc0f11dfaff7a52f18ed2ff8122dd7ef

add logging #2695

view details

push time in 3 days

push eventjeremylong/DependencyCheck

Jeremy Long

commit sha 4cf2f1fc609ef40150b3fc3733c995f07caf94ce

minor update

view details

push time in 3 days

issue commentjeremylong/DependencyCheck

--exclude option is ignored for CLI run

Sorry about the delayed response - the excludes uses Ant syntax. My guess is that you need to update to use: --exclude '**/tests/**/*'.

KOVALKO2

comment created time in 3 days

issue commentjeremylong/DependencyCheck

npm modules that contain the name of a CPE are falsely identified in v6.0.0

At the moment - I highly recommend just disabling the Node JS Analyzer (--disableNodeJS). There are plans to revamp this analyzer and combine some of the logic in the node audit analyzer. The primary use for the Node JS analyzer will be for the vendor modules.

aarongoldenthal

comment created time in 4 days

issue commentjeremylong/DependencyCheck

junitFailOnCVSS Using CVSS v2 when Evaluating

Looks like a bug in the JUNIT report... Thanks for reporting this.

AndrewJWaite

comment created time in 4 days

PR opened jeremylong/DependencyCheck

Add completion for `dependency-check.sh`

Add script for completion for dependency-check.sh so we can more easily select the correct arguments. After installing completion-for-dependency-check.sh (using source completion-for-dependency-check.sh) we can list the arguments using <tab><tab>. The following example lists all of the --disable* arguments:

$ ./dependency-check.sh --disable<tab><tab>
--disableArchive                      --disableCocoapodsAnalyzer            --disableNodeAuditCache               --disablePip
--disableAssembly                     --disableComposer                     --disableNodeJS                       --disablePipfile
--disableAutoconf                     --disableGolangDep                    --disableNugetconf                    --disablePyDist
--disableBundleAudit                  --disableGolangMod                    --disableNuspec                       --disablePyPkg
--disableCentral                      --disableJar                          --disableOpenSSL                      --disableRetireJS
--disableCentralCache                 --disableMixAudit                     --disableOssIndex                     --disableRubygems
--disableCmake                        --disableNodeAudit                    --disableOssIndexCache                --disableSwiftPackageManagerAnalyzer

Consider adding source <path>/completion-for-dependency-check.sh to your .bashrc if you use ODC a lot.

+142 -0

0 comment

2 changed files

pr created time in 4 days

push eventjeremylong/DependencyCheck

Jeremy Long

commit sha 771c7c0cfc3646ec2282c88017f44a1f038447aa

minor cleanup

view details

push time in 4 days

create barnchjeremylong/DependencyCheck

branch : add-completion

created branch time in 4 days

issue closedjeremylong/DependencyCheck

Scan JS npm - NodeAuditAnalyzer failed

Version - 5.3.2

When I try to scan JS dependencies iv'e got this errors+warn:

[INFO] Analysis Started
[INFO] Finished File Name Analyzer (0 seconds)

[WARN] Analyzing C:\xxxxxxx\package-lock.json - however, the node_modules directory does not exist. Please run npm install prior to running dependency-check [WARN] Analyzing C:\xxxxxxx\npm-shrinkwrap.json - however, the node_modules directory does not exist. Please run npm install prior to running dependency-check

[INFO] Finished Node.js Package Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (1 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)

[ERROR] NodeAuditAnalyzer failed on C:\xxxxxxxx\package-lock.json [WARN] An error occurred while analyzing 'C:\xxxxxxxx\package-lock.json' (Node Audit Analyzer).

[INFO] Finished Node Audit Analyzer (2 seconds)
[INFO] Finished RetireJS Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (4 seconds)

[ERROR] Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.`

Anyway, despite those errors, the scan is finished and I've got my report but i'm afraid the report are not completed because of those errors and maybe i missed some vulnerabilities.

Any ideas?

Thank you!

closed time in 5 days

ErezDasa

issue closedjeremylong/DependencyCheck

[CLI] proxy fails due to basic authentication

Describe the bug When using a proxy server in the CLI tool, the proxy returns "HTTP/1.1 407 authenticationrequired". This is due to the deactivated basic authentication scheme in Java and can be fixed by starting the jvm inside the dependency-check.bat with the following parameter: -Djdk.http.auth.tunneling.disabledSchemes="" . Eventually, one can implement this parameter as optional feature that can be activated through an CLI option.

Version of dependency-check used depency-check-5.3.2-release (CLI)

Log file [INFO] Checking for updates [ERROR] Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.meta org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.meta at org.owasp.dependencycheck.data.update.NvdCveUpdater.getMetaFile(NvdCveUpdater.java:347) at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded(NvdCveUpdater.java:385) at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:122) at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:936) at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:737) at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:667) at org.owasp.dependencycheck.App.runScan(App.java:254) at org.owasp.dependencycheck.App.run(App.java:186) at org.owasp.dependencycheck.App.main(App.java:81) Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Download failed, unable to retrieve 'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.meta' at org.owasp.dependencycheck.utils.Downloader.fetchContent(Downloader.java:131) at org.owasp.dependencycheck.data.update.NvdCveUpdater.getMetaFile(NvdCveUpdater.java:340) ... 8 common frames omitted Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Error downloading file https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.meta; unable to connect. at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:238) at org.owasp.dependencycheck.utils.HttpResourceConnection.fetch(HttpResourceConnection.java:138) at org.owasp.dependencycheck.utils.Downloader.fetchContent(Downloader.java:126) ... 9 common frames omitted Caused by: java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 authenticationrequired" at sun.net.www.protocol.http.HttpURLConnection.doTunneling(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source) at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:178) ... 11 common frames omitted [ERROR] Failed to initialize the RetireJS repo org.owasp.dependencycheck.data.update.exception.UpdateException: Failed to initialize the RetireJS repo at org.owasp.dependencycheck.data.update.RetireJSDataSource.initializeRetireJsRepo(RetireJSDataSource.java:139) at org.owasp.dependencycheck.data.update.RetireJSDataSource.update(RetireJSDataSource.java:88) at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:936) at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:737) at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:667) at org.owasp.dependencycheck.App.runScan(App.java:254) at org.owasp.dependencycheck.App.run(App.java:186) at org.owasp.dependencycheck.App.main(App.java:81) Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Download failed, unable to copy 'https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json' to 'C:\Users\U740412\dependency-check\data\jsrepository.json' at org.owasp.dependencycheck.utils.Downloader.fetchFile(Downloader.java:98) at org.owasp.dependencycheck.utils.Downloader.fetchFile(Downloader.java:74) at org.owasp.dependencycheck.data.update.RetireJSDataSource.initializeRetireJsRepo(RetireJSDataSource.java:137) ... 7 common frames omitted Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Error downloading file https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json; unable to connect. at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:238) at org.owasp.dependencycheck.utils.HttpResourceConnection.fetch(HttpResourceConnection.java:138) at org.owasp.dependencycheck.utils.Downloader.fetchFile(Downloader.java:94) ... 9 common frames omitted Caused by: java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 authenticationrequired" at sun.net.www.protocol.http.HttpURLConnection.doTunneling(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source) at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:178) ... 11 common frames omitted [WARN] Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities. [ERROR] Unable to continue dependency-check analysis. [ERROR] One or more fatal errors occurred [ERROR] Failed to initialize the RetireJS repo [ERROR] No documents exist

To Reproduce

See description.

Expected behavior

Use proxy options and establish a connection to the update server.

closed time in 5 days

maximili0n

issue closedjeremylong/DependencyCheck

Error generating the report for dependency-check scan:

I am using this Dependency checker .sh file: docker run --rm
-e user=$USER
-u $(id -u ${USER}):$(id -g ${USER})
--volume $(pwd):/src
--volume "$DATA_DIRECTORY":/usr/share/dependency-check/data
--volume $(pwd)/odc-reports:/report
owasp/dependency-check:$DC_VERSION
--scan /src
--log /report/dc.log --format "ALL"
--project "$DC_PROJECT"
--out /report # Use suppression like this: (where /src == $pwd) # --suppression "/src/security/dependency-check-suppression.xml"

____________Out out error is (also I don;t find log file in any path)--------- Please suggest asap-----Thanks------

  • bash OWASP-dependency-check.sh

latest: Pulling from owasp/dependency-check

Digest: sha256:ca73b12ee7ed5db24e007229ed8d9fd145f236b686612aa260b873487ba9c375

Status: Image is up to date for owasp/dependency-check:latest

docker.io/owasp/dependency-check:latest

[INFO] Checking for updates

[INFO] Skipping NVD check since last check was within 4 hours.

[INFO] Skipping RetireJS update since last update was within 24 hours.

[INFO] Check for updates complete (174 ms)

[INFO]

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

[INFO] Analysis Started

[INFO] Finished Archive Analyzer (0 seconds)

[INFO] Finished File Name Analyzer (0 seconds)

[INFO] Finished Jar Analyzer (0 seconds)

[INFO] Finished Dependency Merging Analyzer (0 seconds)

[INFO] Finished Version Filter Analyzer (0 seconds)

[INFO] Finished Hint Analyzer (0 seconds)

[INFO] Created CPE Index (2 seconds)

[INFO] Finished CPE Analyzer (2 seconds)

[INFO] Finished False Positive Analyzer (0 seconds)

[INFO] Finished NVD CVE Analyzer (0 seconds)

[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)

[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)

[INFO] Finished Dependency Bundling Analyzer (0 seconds)

[INFO] Analysis Complete (3 seconds)

[ERROR] Error generating the report for dependency-check scan: /var/lib/jenkins/workspace/Webapptj-CICD-Pipeline

script returned exit code 244

closed time in 5 days

GetsecuR

issue closedjeremylong/DependencyCheck

Dependency-check failing for aggregate project due to in-reactor war-dependency with a vulnerable library in a previous snapshot hosted in the repository

Describe the bug Looks like https://github.com/jeremylong/DependencyCheck/issues/1600 has resurfaced. Will look into it further myself and propose a patch if needed

Version of dependency-check used The problem occurs using version 5.3.2 of the maven plugin

Log file Properietary project, so cannot share the log. Will look into getting a minimal project to sample it and then attach logs.

To Reproduce Steps to reproduce the behavior:

  1. Create a SNAPSHOT multi-module project with a war-file containing a vulnerable library
  2. Build and deploy that SNAPSHOT version
  3. Update the war submodule to depend on the non-vulnerable version of the library
  4. Perform an aggregate depdendency-check on the project and observe Dependency-Check complain about the vulnerable library in the PREVIOUS version of the war as retrieved from the artifact repository

Expected behavior Dependency-check only depending on the reactor-internal virtual dependencies (as this is an aggregate scan for a SNAPSHOT project) and ignoring the (still vulnerable) war-file currently stored in the artifact repository for the same snapshot-version.

Additional context Add any other context about the problem here.

closed time in 5 days

aikebah

issue commentjeremylong/DependencyCheck

Updating from 5.3.2 to 6.0.1 in angular project

Until I get time to cleanup the Node Analyzer - I would highly recommend just turning it off <nodeAnalyzerEnabled>false</nodeAnalyzerEnabled>. I have plans to enhance the node analysis - but it won't make it into the next release.

NorthernKgalagadi

comment created time in 5 days

issue closedjeremylong/DependencyCheck

dependency-check.sh fails to run in git for windows environment

Describe the bug

When installing git for windows it includes a cygwin like environment named "Git Bash". Attempting to run dependency-check.sh in this environment fails.

Version of dependency-check used The problem occurs using version 6.0.2 of the cli.

Log file

$ bash -xv ./dependency-check/bin/dependency-check.sh 2>&1 | tail
  -classpath "$CLASSPATH" \
  -Dapp.name="dependency-check" \
  -Dapp.pid="$$" \
  -Dapp.repo="$REPO" \
  -Dapp.home="$BASEDIR" \
  -Dbasedir="$BASEDIR" \
  org.owasp.dependencycheck.App \
  "$@"
+ exec '/c/Program Files (x86)/Common Files/Oracle/Java/javapath/java' -classpath '/c/git/.../dependency-check/plugins/*:/c/git/.../dependency-check/lib/*' -Dapp.name=dependency-check -Dapp.pid=2922 -Dapp.repo=/c/git/.../dependency-check/lib -Dapp.home=/c/git/.../dependency-check -Dbasedir=/c/git/.../dependency-check org.owasp.dependencycheck.App
Error: Could not find or load main class org.owasp.dependencycheck.App

To Reproduce Steps to reproduce the behavior:

  1. curl -Lo dependency-check-6.0.2-release.zip https://github.com/jeremylong/DependencyCheck/releases/download/v6.0.2/dependency-check-6.0.2-release.zip
  2. unzip dependency-check-6.0.2-release.zip
  3. bash -xv ./dependency-check/bin/dependency-check.sh 2>&1 | tail

Expected behavior

Doing the same in a cygwin window works fine:

$ bash -xv ./dependency-check/bin/dependency-check.sh 2>&1 | tail
    --project <name>            The name of the project being scanned.
 -s,--scan <path>               The path to scan - this option can be
                                specified multiple times. Ant style paths
                                are supported (e.g. 'path/**/*.jar'); if
                                using Ant style paths it is highly
                                recommended to quote the argument value.
    --suppression <file>        The file path to the suppression XML file.
                                This can be specified more then once to
                                utilize multiple suppression files
 -v,--version                   Print the version information.

Additional context

Maybe related to issue #2282?

closed time in 5 days

hlovdal

push eventjeremylong/DependencyCheck

Hans Aikema

commit sha 2d4282f1e944114599c0481c111c83fcf518d871

Add support for running on Windows in git bash environment (which is based on mingw) (#2913)

view details

push time in 5 days

PR merged jeremylong/DependencyCheck

Add support for running on Windows in git bash environment cli

Fixes Issue #2903

Description of Change

Add MINGW as a flavor for 'linux shell on windows' to support running the CLI in a git bash session on Windows

Have test cases been added to cover the new functionality?

no, manually tested on Windows in a git-bash session.

+6 -4

0 comment

1 changed file

aikebah

pr closed time in 5 days

issue closedjeremylong/DependencyCheck

Leftover dcXXX directories in temporary directory

Describe the bug Running the goal update-only leaves dcXXX directories in the temporary directory on Windows systems.

Version of dependency-check used The problem occurs using version 5.3.2 of the maven plugin.

Log file https://gist.github.com/jansohn/4fd2d2621b9ca1bdb052835ba9b09051

To Reproduce Steps to reproduce the behavior:

  1. Run mvn org.owasp:dependency-check-maven:5.3.2:update-only -DcveUrlBase=https://nvd-mirror.internal.com/NistDataMirror/nvdcve-1.0-%d.json.gz -DcveUrlModified=https://nvd-mirror.internal.com/NistDataMirror/nvdcve-1.0-modified.json.gz

Expected behavior No left-over temporary directories or files.

Additional context Other version / platform information:

  • Apache Maven 3.5.0 (ff8f5e7444045639af65f6095c62210b5713f426; 2017-04-03T21:39:06+02:00)
  • Java version: 1.8.0_241, vendor: Oracle Corporation
  • OS name: "windows 10", version: "10.0", arch: "amd64", family: "windows"

closed time in 5 days

jansohn

pull request commentjeremylong/DependencyCheck

Add missing cleanup to UpdateMojo

Thanks for identifying this. In some ways I almost want to move the cleanup into engine.close()...

aikebah

comment created time in 5 days

push eventjeremylong/DependencyCheck

Hans Aikema

commit sha 3c050be82d36316a54d536d7aa428576a764369b

Add missing cleanup to UpdateMojo (#2914)

view details

push time in 5 days

PR merged jeremylong/DependencyCheck

Add missing cleanup to UpdateMojo maven

Fixes Issue #2749

Description of Change

Add the missing cleanup routing to the UpdateMojo to remove the temporary folder at the end of an update-only run

Have test cases been added to cover the new functionality?

no, ran update-only goal locally and verified that now the dctemp folder in the temp directory is removed

+2 -0

0 comment

1 changed file

aikebah

pr closed time in 5 days

issue closedjeremylong/DependencyCheck

False Positive on cdi-api

False positive on library cdi-api.jar - reported as cpe:2.3:a:redhat:jboss_weld:2.0:::::::*

<dependency>
   <groupId>javax.enterprise</groupId>
   <artifactId>cdi-api</artifactId>
   <version>2.0</version>
</dependency>

closed time in 5 days

tobiasstadler

push eventjeremylong/DependencyCheck

Jeremy Long

commit sha 3707cdccb14429303c2a9f2b768f5097a7f0eed3

fp per #2907

view details

push time in 5 days

issue closedjeremylong/DependencyCheck

"from" attribute in CVE not taken into account

Describe the bug When looking for CVEs belonging to a specific CPE, dependency check seems to ignore the "from" attribute in CVE-data.

Version of dependency-check used The problem occurs using version 6.0.2 of the maven plugin.

Log file Most interesting line of the log files:

struts-core-1.3.10.jar (pkg:maven/org.apache.struts/struts-core@1.3.10, cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*) : CVE-2011-5057, CVE-2012-0391, CVE-2012-0392, CVE-2012-0393, CVE-2012-0394, CVE-2012-0838, CVE-2012-1007, CVE-2013-1965, CVE-2013-1966, CVE-2013-2115, CVE-2013-2134, CVE-2013-2135, CVE-2014-0094, CVE-2014-0113, CVE-2014-0114, CVE-2015-0899, CVE-2015-2992, CVE-2016-0785, CVE-2016-1181, CVE-2016-1182, CVE-2016-4003

To Reproduce Steps to reproduce the behavior:

  1. create an empty maven project
  2. add this pom.xml:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.example</groupId>
    <artifactId>DependencyCheckTest</artifactId>
    <version>1.0-SNAPSHOT</version>

    <dependencies>
        <dependency>
            <groupId>org.apache.struts</groupId>
            <artifactId>struts-core</artifactId>
            <version>1.3.10</version>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>6.0.2</version>
                <configuration>
                    <format>ALL</format>
                    <skipProvidedScope>true</skipProvidedScope>
                    <skipTestScope>true</skipTestScope>
                    <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
                    <failOnError>false</failOnError>
                </configuration>

                <executions>
                    <execution>
                        <goals>
                            <goal>aggregate</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
</project>
  1. build the maven project:
mvn install
  1. look at the report /target/dependency-check-report.csv, it contains 21 CVE for struts-core-1.3.10.jar (CPE = cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*), e.g.:

All three example CVEs are listed at NVD under "Known Affected Software Configurations" with

cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*, From (including) 2.0.0, Up to (excluding) 2...

Expected behavior This example uses struts-1.3.10, which is not in the range "from 2.0.0 up to 2....". So I would expect dependency check to evaluate the CVE's "from" property and therefore to not list those three example CVEs in the list of detected vulnerarbilities.

Additional context Same behaviour with dependency-check version 5.2.4.

This is kind of a "false positive", but I think, the "ignore 'from' attribute" is a general problem, so I picked the label "bug".

closed time in 6 days

palbr

issue commentjeremylong/DependencyCheck

"from" attribute in CVE not taken into account

This is not a bug - but rather expected behavior. ODC core does take into account the version ranges within the NVD. If you take a look at the CVEs you are saying are FP - in the report they are clearly marked as being from the OSS Index. The OSS Index has vulnerabilities not in the NVD and they may have done additional research on the version ranges. If you feel these CVEs are false positives please contact the OSS Index.

palbr

comment created time in 6 days

issue commentjeremylong/DependencyCheck

Any thoughts to updating the Maven dependencies?

We don't use these dependencies. These are test dependencies used to test the functionality of ODC (unit/integration). If you look at all of these in the POM you will notice they are all marked as scope: test and optional: true:

https://github.com/jeremylong/DependencyCheck/blob/f9b4f4136ec4c4e4d1d944faa64a3c8880794616/core/pom.xml#L354-L360

You can probably build using -D-Dmaven.test.skip.

FRB-JIM

comment created time in 6 days

push eventjeremylong/DependencyCheck

Jeremy Long

commit sha df063965af5f9be226ee52e60763521e9adc7b52

fp per #2912

view details

Jeremy Long

commit sha f9b4f4136ec4c4e4d1d944faa64a3c8880794616

Merge branch 'main' of github.com:jeremylong/DependencyCheck into main

view details

push time in 6 days

issue commentjeremylong/DependencyCheck

False positive on azure-identity 1.1.3

Sorry - not enough coffee yet. I thought I had already taken care of keypass...

RobertButtigieg

comment created time in 6 days

more