search

clj-holmes / clj-watson

clojure deps SCA
Eclipse Public License 2.0
84 stars 9 forks source link

CVE identifiers are missing in 3.0.2 output #22

Closed seancorfield closed 2 years ago

seancorfield commented 2 years ago

Since you released a new version, I just tried to updated from 3.0.1-ALPHA to 3.0.2 and all the CVE identifiers disappeared in the output:

SEVERITY: MEDIUM
IDENTIFIERS:  
CVSS: 5.5
PATCHED VERSION: 66.1

This feels like a bug we've talked about on Slack some time back, that I thought had gotten fixed?

Also, a request: to make it easier to diff the output, can you sort by CVE identifier without each artifact so the output order is repeatable? I can create a separate issue for that if you'd like?

mthbernardes commented 2 years ago

I'm investigating why it's not returning the CVE's and also there's an issue opened already to address the CVE sort.

mthbernardes commented 2 years ago

Could you validate if this alpha release address all the issues you've found?

seancorfield commented 2 years ago

That produces the following error output:

Downloading/Updating database.
Execution error (MVStoreException) at org.h2.mvstore.DataUtils/newMVStoreException (DataUtils.java:1004).
The write format 1 is smaller than the supported format 2 [2.1.210/5]

The full stacktrace is:

{:clojure.main/message
 "Execution error (MVStoreException) at org.h2.mvstore.DataUtils/newMVStoreException (DataUtils.java:1004).\nThe write format 1 is smaller than the supported format 2 [2.1.210/5]\n",
 :clojure.main/triage
 {:clojure.error/class org.h2.mvstore.MVStoreException,
  :clojure.error/line 1004,
  :clojure.error/cause
  "The write format 1 is smaller than the supported format 2 [2.1.210/5]",
  :clojure.error/symbol org.h2.mvstore.DataUtils/newMVStoreException,
  :clojure.error/source "DataUtils.java",
  :clojure.error/phase :execution},
 :clojure.main/trace
 {:via
  [{:type org.owasp.dependencycheck.data.nvdcve.DatabaseException,
    :message "Unable to connect to the database",
    :at
    [org.owasp.dependencycheck.data.nvdcve.DatabaseManager
     initialize
     "DatabaseManager.java"
     200]}
   {:type org.h2.jdbc.JdbcSQLNonTransientException,
    :message
    "General error: \"The write format 1 is smaller than the supported format 2 [2.1.210/5]\" [50000-210]",
    :at
    [org.h2.message.DbException
     getJdbcSQLException
     "DbException.java"
     573]}
   {:type org.h2.mvstore.MVStoreException,
    :message
    "The write format 1 is smaller than the supported format 2 [2.1.210/5]",
    :at
    [org.h2.mvstore.DataUtils
     newMVStoreException
     "DataUtils.java"
     1004]}],
  :trace
  [[org.h2.mvstore.DataUtils newMVStoreException "DataUtils.java" 1004]
   [org.h2.mvstore.MVStore
    getUnsupportedWriteFormatException
    "MVStore.java"
    1059]
   [org.h2.mvstore.MVStore readStoreHeader "MVStore.java" 878]
   [org.h2.mvstore.MVStore <init> "MVStore.java" 455]
   [org.h2.mvstore.MVStore$Builder open "MVStore.java" 4056]
   [org.h2.mvstore.db.Store <init> "Store.java" 129]
   [org.h2.engine.Database <init> "Database.java" 324]
   [org.h2.engine.Engine openSession "Engine.java" 92]
   [org.h2.engine.Engine openSession "Engine.java" 222]
   [org.h2.engine.Engine createSession "Engine.java" 201]
   [org.h2.engine.SessionRemote
    connectEmbeddedOrServer
    "SessionRemote.java"
    338]
   [org.h2.jdbc.JdbcConnection <init> "JdbcConnection.java" 122]
   [org.h2.Driver connect "Driver.java" 59]
   [java.sql.DriverManager getConnection "DriverManager.java" 681]
   [java.sql.DriverManager getConnection "DriverManager.java" 229]
   [org.owasp.dependencycheck.data.nvdcve.DatabaseManager
    initialize
    "DatabaseManager.java"
    185]
   [org.owasp.dependencycheck.data.nvdcve.DatabaseManager
    <init>
    "DatabaseManager.java"
    123]
   [org.owasp.dependencycheck.data.nvdcve.CveDB
    <init>
    "CveDB.java"
    242]
   [org.owasp.dependencycheck.Engine openDatabase "Engine.java" 995]
   [org.owasp.dependencycheck.Engine doUpdates "Engine.java" 868]
   [org.owasp.dependencycheck.Engine doUpdates "Engine.java" 850]
   [jdk.internal.reflect.NativeMethodAccessorImpl
    invoke0
    "NativeMethodAccessorImpl.java"
    -2]
   [jdk.internal.reflect.NativeMethodAccessorImpl
    invoke
    "NativeMethodAccessorImpl.java"
    77]
   [jdk.internal.reflect.DelegatingMethodAccessorImpl
    invoke
    "DelegatingMethodAccessorImpl.java"
    43]
   [java.lang.reflect.Method invoke "Method.java" 568]
   [clojure.lang.Reflector invokeMatchingMethod "Reflector.java" 167]
   [clojure.lang.Reflector
    invokeNoArgInstanceMember
    "Reflector.java"
    438]
   [clj_watson.controller.dependency_check.scanner$update_download_database
    invokeStatic
    "scanner.clj"
    14]
   [clj_watson.controller.dependency_check.scanner$update_download_database
    invoke
    "scanner.clj"
    11]
   [clj_watson.controller.dependency_check.scanner$build_engine
    invokeStatic
    "scanner.clj"
    27]
   [clj_watson.controller.dependency_check.scanner$build_engine
    invoke
    "scanner.clj"
    24]
   [clj_watson.controller.dependency_check.scanner$scan_jars
    invokeStatic
    "scanner.clj"
    34]
   [clj_watson.controller.dependency_check.scanner$scan_jars
    invoke
    "scanner.clj"
    33]
   [clj_watson.controller.dependency_check.scanner$start_BANG_
    invokeStatic
    "scanner.clj"
    45]
   [clj_watson.controller.dependency_check.scanner$start_BANG_
    invoke
    "scanner.clj"
    44]
   [clj_watson.entrypoint$eval7631$fn__7633 invoke "entrypoint.clj" 23]
   [clojure.lang.MultiFn invoke "MultiFn.java" 229]
   [clj_watson.entrypoint$eval7638$fn__7639 invoke "entrypoint.clj" 30]
   [clojure.lang.MultiFn invoke "MultiFn.java" 229]
   [clj_watson.entrypoint$scan invokeStatic "entrypoint.clj" 33]
   [clj_watson.entrypoint$scan invoke "entrypoint.clj" 32]
   [clojure.lang.AFn applyToHelper "AFn.java" 154]
   [clojure.lang.AFn applyTo "AFn.java" 144]
   [clojure.lang.Var applyTo "Var.java" 705]
   [clojure.core$apply invokeStatic "core.clj" 667]
   [clojure.core$apply invoke "core.clj" 662]
   [clojure.run.exec$exec invokeStatic "exec.clj" 48]
   [clojure.run.exec$exec doInvoke "exec.clj" 39]
   [clojure.lang.RestFn invoke "RestFn.java" 423]
   [clojure.run.exec$_main$fn__205 invoke "exec.clj" 180]
   [clojure.run.exec$_main invokeStatic "exec.clj" 176]
   [clojure.run.exec$_main doInvoke "exec.clj" 139]
   [clojure.lang.RestFn applyTo "RestFn.java" 137]
   [clojure.lang.Var applyTo "Var.java" 705]
   [clojure.core$apply invokeStatic "core.clj" 667]
   [clojure.main$main_opt invokeStatic "main.clj" 514]
   [clojure.main$main_opt invoke "main.clj" 510]
   [clojure.main$main invokeStatic "main.clj" 664]
   [clojure.main$main doInvoke "main.clj" 616]
   [clojure.lang.RestFn applyTo "RestFn.java" 137]
   [clojure.lang.Var applyTo "Var.java" 705]
   [clojure.main main "main.java" 40]],
  :cause
  "The write format 1 is smaller than the supported format 2 [2.1.210/5]"}}
mthbernardes commented 2 years ago

Sorry, I've also bumped the dependency-check to the latest version, so you need to delete the database in order to be created again. The database is located in /tmp/db

seancorfield commented 2 years ago

I assumed I needed to do that but the docs do not say where the DB is :)

seancorfield commented 2 years ago

I'll try this out tomorrow, when I'm back at work.

mthbernardes commented 2 years ago

I assumed I needed to do that but the docs do not say where the DB is :)

I've just added this information in the opened PR

seancorfield commented 2 years ago

Confirmed that the new alpha works, produces CVE IDs, and sorts them. This will make it much easier to spot differences over time. Thank you!

mthbernardes commented 2 years ago

Awesome, I'll merge the PR and make an official release.