search

albuch / sbt-dependency-check

SBT Plugin for OWASP DependencyCheck. Monitor your dependencies and report if there are any publicly known vulnerabilities (e.g. CVEs). :rainbow:
Apache License 2.0
266 stars 35 forks source link

Issue #282 upstream OWASP DependencyCheck bugfix #283

Closed davidcheney-livongo closed 1 year ago

davidcheney-livongo commented 1 year ago

A bug in OWASP DependencyCheck <7.4.4 causes exceptions when loading certain poorly formed CVE definitions.

see: https://github.com/jeremylong/DependencyCheck/issues/5220

Fixes Issue #282

Description of Change

Update the DependencyCheck version to 7.4.4 which fixes the upstream issue.

Have test cases been added to cover the new functionality?

no (no new functionality)

kevin-lee commented 1 year ago

I hope a new version of sbt-dependency-check with this fix is released soon.

cchantep commented 1 year ago

Such update raises error:

error] java.lang.IllegalArgumentException: resource data/dbEcosystemCacheUpdates.sql not found.
[error]     at com.google.common.base.Preconditions.checkArgument(Preconditions.java:220)
[error]     at com.google.common.io.Resources.getResource(Resources.java:194)
[error]     at org.owasp.dependencycheck.data.nvdcve.CveDB.updateEcosystemCache(CveDB.java:142)
[error]     at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:144)
[error]     at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:900)
[error]     at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:872)
[error]     at net.vonbuchholtz.sbt.dependencycheck.DependencyCheckUpdateTask$.update(DependencyCheckUpdateTask.scala:9
[error]     at net.vonbuchholtz.sbt.dependencycheck.DependencyCheckPlugin$.$anonfun$updateTask$3(DependencyCheckPlugin.scala:512)
[error]     at net.vonbuchholtz.sbt.dependencycheck.DependencyCheckPlugin$.$anonfun$updateTask$3$adapted(DependencyCheckPlugin.scala:511)
[error]     at net.vonbuchholtz.sbt.dependencycheck.DependencyCheckPlugin$.withEngine(DependencyCheckPlugin.scala:625)
[error]     at net.vonbuchholtz.sbt.dependencycheck.DependencyCheckPlugin$.$anonfun$updateTask$1(DependencyCheckPlugin.scala:511)
[error]     at net.vonbuchholtz.sbt.dependencycheck.DependencyCheckPlugin$.$anonfun$updateTask$1$adapted(DependencyCheckPlugin.scala:506)
[error]     at scala.Function1.$anonfun$compose$1(Function1.scala:49)
[error]     at sbt.internal.util.$tilde$greater.$anonfun$$u2219$1(TypeFunctions.scala:62)
[error]     at sbt.std.Transform$$anon$4.work(Transform.scala:68)
[error]     at sbt.Execute.$anonfun$submit$2(Execute.scala:282)
[error]     at sbt.internal.util.ErrorHandling$.wideConvert(ErrorHandling.scala:23)
[error]     at sbt.Execute.work(Execute.scala:291)
[error]     at sbt.Execute.$anonfun$submit$1(Execute.scala:282)
[error]     at sbt.ConcurrentRestrictions$$anon$4.$anonfun$submitValid$1(ConcurrentRestrictions.scala:265)
[error]     at sbt.CompletionService$$anon$2.call(CompletionService.scala:64)
[error]     at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
[error]     at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
[error]     at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
[error]     at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
[error]     at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
[error]     at java.base/java.lang.Thread.run(Thread.java:829)
albuch commented 1 year ago

@davidcheney-livongo thank you for your contribution. Unfortunately only bumping the version is not what it takes. Every change in the upstream project has to be reviewed if additionaly settings etc. were introduced and added here as well. Closing this PR in favor of a new one that takes care of this.