Dependabot security updates: "Dependabot couldn't find a pom.xml"

MaximilianWenzel commented 1 month ago

Is there an existing issue for this?

[X] I have searched the existing issues

Package ecosystem

maven

Package manager version

No response

Language version

Java 17

Manifest location and content before the Dependabot update

repository root, i.e., "/pom.xml"

dependabot.yml content

https://github.com/derivo-company/neo2rdf/blob/fc6c77386d11f49a1042adadba9e5c72915a3a0f/.github/dependabot.yml

Updated dependency

No response

What you expected to see, versus what you actually saw

First, I need to say that the "Dependabot version updates" work without any issues on my repository - really helpful. I now activated the "Dependabot security updates" for the repository and encounter errors. I hope this is the right place to post this because it is probably rather an issue of the default configuration on the platform GitHub and not an issue of the underlying dependabot code. Apparently, it searches in /home/runner/work/neo2rdf/neo2rdf for the pom.xml file. I suppose, this is the path of the action runner. The link in the text next to the green "open" button of the provided screenshot should probably point to the actual repository file, which it does not. I did not found a way to configure the "Dependabot security updates" separately from "Dependabot version updates".

Probably it is connected to the fact that the pom.xml is in the repository root directory because I tried it in another project where it is in a subedirectory and there it works perfectly fine (repository link).

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

Repository: https://github.com/derivo-company/neo2rdf Action run: https://github.com/derivo-company/neo2rdf/actions/runs/11056534431/job/30718297282

2024-09-26T16:38:54.4292975Z Current runner version: '2.319.1'
2024-09-26T16:38:54.4317194Z ##[group]Operating System
2024-09-26T16:38:54.4317970Z Ubuntu
2024-09-26T16:38:54.4318323Z 22.04.5
2024-09-26T16:38:54.4318658Z LTS
2024-09-26T16:38:54.4319052Z ##[endgroup]
2024-09-26T16:38:54.4319450Z ##[group]Runner Image
2024-09-26T16:38:54.4319892Z Image: ubuntu-22.04
2024-09-26T16:38:54.4320374Z Version: 20240922.1.0
2024-09-26T16:38:54.4321386Z Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20240922.1/images/ubuntu/Ubuntu2204-Readme.md
2024-09-26T16:38:54.4323071Z Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20240922.1
2024-09-26T16:38:54.4323912Z ##[endgroup]
2024-09-26T16:38:54.4324316Z ##[group]Runner Image Provisioner
2024-09-26T16:38:54.4324885Z 2.0.384.1
2024-09-26T16:38:54.4325230Z ##[endgroup]
2024-09-26T16:38:54.4341952Z ##[group]GITHUB_TOKEN Permissions
2024-09-26T16:38:54.4343968Z Actions: read
2024-09-26T16:38:54.4344643Z Attestations: read
2024-09-26T16:38:54.4345127Z Checks: read
2024-09-26T16:38:54.4345582Z Contents: read
2024-09-26T16:38:54.4345951Z Deployments: read
2024-09-26T16:38:54.4346350Z Discussions: read
2024-09-26T16:38:54.4346790Z Issues: read
2024-09-26T16:38:54.4347173Z Metadata: read
2024-09-26T16:38:54.4347620Z Packages: read
2024-09-26T16:38:54.4348015Z Pages: read
2024-09-26T16:38:54.4348349Z PullRequests: read
2024-09-26T16:38:54.4348827Z RepositoryProjects: read
2024-09-26T16:38:54.4349299Z SecurityEvents: read
2024-09-26T16:38:54.4349711Z Statuses: read
2024-09-26T16:38:54.4350161Z ##[endgroup]
2024-09-26T16:38:54.4353429Z Secret source: None
2024-09-26T16:38:54.4354021Z Prepare workflow directory
2024-09-26T16:38:54.4990539Z Prepare all required actions
2024-09-26T16:38:54.5160796Z Getting action download info
2024-09-26T16:38:54.7293100Z Download action repository 'github/dependabot-action@main' (SHA:bf1e6fc1b2536ed5c395a864fea92c8f64a409cd)
2024-09-26T16:38:55.5072985Z Complete job name: Dependabot
2024-09-26T16:38:55.6050158Z ##[group]Run mkdir -p  ./dependabot-job-891552662-1727368724
2024-09-26T16:38:55.6051113Z [36;1mmkdir -p  ./dependabot-job-891552662-1727368724[0m
2024-09-26T16:38:55.6079247Z shell: /usr/bin/bash -e {0}
2024-09-26T16:38:55.6079809Z ##[endgroup]
2024-09-26T16:38:55.6630107Z ##[group]Run github/dependabot-action@main
2024-09-26T16:38:55.6630783Z env:
2024-09-26T16:38:55.6631190Z   DEPENDABOT_DISABLE_CLEANUP: 1
2024-09-26T16:38:55.6631884Z   DEPENDABOT_ENABLE_CONNECTIVITY_CHECK: 0
2024-09-26T16:38:55.6633006Z   GITHUB_TOKEN: ***
2024-09-26T16:38:55.6633891Z   GITHUB_DEPENDABOT_JOB_TOKEN: ***
2024-09-26T16:38:55.6634967Z   GITHUB_DEPENDABOT_CRED_TOKEN: ***
2024-09-26T16:38:55.6635513Z ##[endgroup]
2024-09-26T16:38:55.9614663Z 🤖 ~ starting update ~
2024-09-26T16:38:55.9648270Z Fetching job details
2024-09-26T16:38:56.5652550Z ##[group]Pulling updater images
2024-09-26T16:38:56.5702101Z Pulling image ghcr.io/dependabot/dependabot-updater-maven:88ed71055d13287e5485b22a89378616a95f5ef6...
2024-09-26T16:39:08.1148195Z Pulled image ghcr.io/dependabot/dependabot-updater-maven:88ed71055d13287e5485b22a89378616a95f5ef6
2024-09-26T16:39:08.1161041Z Pulling image ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:v2.0.20240919194919@sha256:a8861ab9eba169d6c8071b3e2d8d67e7a23b87a6566af87255b746e2e081bca3...
2024-09-26T16:39:09.2016465Z Pulled image ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:v2.0.20240919194919@sha256:a8861ab9eba169d6c8071b3e2d8d67e7a23b87a6566af87255b746e2e081bca3
2024-09-26T16:39:09.2018982Z ##[endgroup]
2024-09-26T16:39:09.2019645Z Starting update process
2024-09-26T16:39:09.4903791Z Created proxy container: d8623bc67a6243314a73d5e5bab09350bedb720afa80203db41c7f2367f5a2a1
2024-09-26T16:39:09.7681815Z Created container: 48e14a3d9fa03eb19235dd84c7616e7beb626bc2d9ee3f001923836999cafef8
2024-09-26T16:39:09.7917544Z   proxy | 2024/09/26 16:39:09 proxy starting, commit: cf3f47452d431f45a8cdd6282ca0c7682bafa86d
2024-09-26T16:39:09.7919241Z   proxy | 2024/09/26 16:39:09 Listening (:1080)
2024-09-26T16:39:09.9288116Z updater | Updating certificates in /etc/ssl/certs...
2024-09-26T16:39:10.6679000Z updater | rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
2024-09-26T16:39:10.6914944Z updater | 1 added, 0 removed; done.
2024-09-26T16:39:10.6916244Z Running hooks in /etc/ca-certificates/update.d...
2024-09-26T16:39:10.6930182Z updater | done.
2024-09-26T16:39:13.1717299Z updater | 2024/09/26 16:39:13 INFO <job_891552662> Starting job processing
2024-09-26T16:39:13.1777522Z 2024/09/26 16:39:13 INFO <job_891552662> Job definition: {"job":{"allowed-updates":[{"dependency-type":"direct","update-type":"all"}],"commit-message-options":{"prefix":null,"prefix-development":null,"include-scope":null},"credentials-metadata":[{"type":"git_source","host":"github.com"}],"debug":null,"dependencies":["ch.qos.logback:logback-classic","ch.qos.logback:logback-core","io.netty:netty-codec-http","org.apache.commons:commons-compress","org.apache.commons:commons-compress","org.apache.commons:commons-configuration2","org.apache.commons:commons-configuration2","org.apache.solr:solr-solrj","org.apache.zookeeper:zookeeper","org.apache.zookeeper:zookeeper","org.eclipse.jetty.http2:http2-common","org.eclipse.jetty.http2:http2-common","org.eclipse.jetty.http2:http2-hpack","org.neo4j:neo4j-cypher","org.xerial.snappy:snappy-java","org.xerial.snappy:snappy-java","org.xerial.snappy:snappy-java","org.xerial.snappy:snappy-java"],"dependency-groups":[{"name":"maven","rules":{"patterns":["*"]},"applies-to":"security-updates"}],"dependency-group-to-refresh":null,"existing-pull-requests":[],"existing-group-pull-requests":[],"experiments":{"record-ecosystem-versions":true,"record-update-job-unknown-error":true,"proxy-cached":true,"move-job-token":true,"dependency-change-validation":true,"add-deprecation-warn-to-pr-message":true,"enable-pnpm-yarn-dynamic-engine":true},"ignore-conditions":[],"lockfile-only":false,"max-updater-run-time":2700,"package-manager":"maven","proxy-log-response-body-on-auth-failure":true,"requirements-update-strategy":null,"reject-external-code":false,"security-advisories":[{"dependency-name":"ch.qos.logback:logback-classic","patched-versions":[],"unaffected-versions":[],"affected-versions":["(,1.2.0)"]},{"dependency-name":"ch.qos.logback:logback-classic","patched-versions":[],"unaffected-versions":[],"affected-versions":["(,1.2.13)","[1.3.0,1.3.12)","[1.4.0,1.4.12)"]},{"dependency-name":"ch.qos.logback:logback-core","patched-versions":[],"unaffected-versions":[],"affected-versions":["(,1.2.0)"]},{"dependency-name":"ch.qos.logback:logback-core","patched-versions":[],"unaffected-versions":[],"affected-versions":["(,1.2.9)"]},{"dependency-name":"ch.qos.logback:logback-core","patched-versions":[],"unaffected-versions":[],"affected-versions":["(,1.2.13)","[1.3.0,1.3.12)","[1.4.0,1.4.12)"]},{"dependency-name":"ch.qos.logback:logback-core","patched-versions":[],"unaffected-versions":[],"affected-versions":["1.2.12","1.3.13","1.4.13"]},{"dependency-name":"io.netty:netty-codec-http","patched-versions":[],"unaffected-versions":[],"affected-versions":["[4.0.0,4.1.59.Final)"]},{"dependency-name":"io.netty:netty-codec-http","patched-versions":[],"unaffected-versions":[],"affected-versions":["[4.0.0,4.1.71.Final)"]},{"dependency-name":"io.netty:netty-codec-http","patched-versions":[],"unaffected-versions":[],"affected-versions":["(,4.1.76.Final]"]},{"dependency-name":"io.netty:netty-codec-http","patched-versions":[],"unaffected-versions":[],"affected-versions":["[4.1.83.Final,4.1.86.Final)"]},{"dependency-name":"io.netty:netty-codec-http","patched-versions":[],"unaffected-versions":[],"affected-versions":["[4.0.0,4.1.44)"]},{"dependency-name":"io.netty:netty-codec-http","patched-versions":[],"unaffected-versions":[],"affected-versions":["(,4.1.108.Final)"]},{"dependency-name":"org.apache.commons:commons-compress","patched-versions":[],"unaffected-versions":[],"affected-versions":["[1.7,1.18)"]},{"dependency-name":"org.apache.commons:commons-compress","patched-versions":[],"unaffected-versions":[],"affected-versions":["[1.11,1.16)"]},{"dependency-name":"org.apache.commons:commons-compress","patched-versions":[],"unaffected-versions":[],"affected-versions":["[1.15,1.19)"]},{"dependency-name":"org.apache.commons:commons-compress","patched-versions":[],"unaffected-versions":[],"affected-versions":["(,1.21)"]},{"dependency-name":"org.apache.commons:commons-compress","patched-versions":[],"unaffected-versions":[],"affected-versions":["(,1.4.1)"]},{"dependency-name":"org.apache.commons:commons-compress","patched-versions":[],"unaffected-versions":[],"affected-versions":["[1.22,1.24.0)"]},{"dependency-name":"org.apache.commons:commons-compress","patched-versions":[],"unaffected-versions":[],"affected-versions":["[1.21,1.26.0)"]},{"dependency-name":"org.apache.commons:commons-compress","patched-versions":[],"unaffected-versions":[],"affected-versions":["[1.3,1.26.0)"]},{"dependency-name":"org.apache.commons:commons-configuration2","patched-versions":[],"unaffected-versions":[],"affected-versions":["[2.2,2.7)"]},{"dependency-name":"org.apache.commons:commons-configuration2","patched-versions":[],"unaffected-versions":[],"affected-versions":["[2.4,2.8.0)"]},{"dependency-name":"org.apache.commons:commons-configuration2","patched-versions":[],"unaffected-versions":[],"affected-versions":["[2.0,2.10.1)"]},{"dependency-name":"org.apache.solr:solr-solrj","patched-versions":[],"unaffected-versions":[],"affected-versions":["[6.0.0,8.11.3)","[9.0.0,9.4.1)"]},{"dependency-name":"org.apache.zookeeper:zookeeper","patched-versions":[],"unaffected-versions":[],"affected-versions":["[3.5.0,3.5.5)","[1.0.0,3.4.14)"]},{"dependency-name":"org.apache.zookeeper:zookeeper","patched-versions":[],"unaffected-versions":[],"affected-versions":["[3.5.0-alpha,3.5.3-beta]","(,3.4.9]"]},{"dependency-name":"org.apache.zookeeper:zookeeper","patched-versions":[],"unaffected-versions":[],"affected-versions":["[3.5.0,3.5.2]","[3.4.0,3.4.9]"]},{"dependency-name":"org.apache.zookeeper:zookeeper","patched-versions":[],"unaffected-versions":[],"affected-versions":["[3.9.0,3.9.1)","[3.8.0,3.8.3)","(,3.7.2)"]},{"dependency-name":"org.apache.zookeeper:zookeeper","patched-versions":[],"unaffected-versions":[],"affected-versions":["[3.6.0,3.7.2]","[3.9.0,3.9.1]","[3.8.0,3.8.3]"]},{"dependency-name":"org.eclipse.jetty.http2:http2-common","patched-versions":[],"unaffected-versions":[],"affected-versions":["[11.0.0,11.0.19]","[10.0.0,10.0.19]","[9.3.0,9.4.53]"]},{"dependency-name":"org.eclipse.jetty.http2:http2-common","patched-versions":[],"unaffected-versions":[],"affected-versions":["[11.0.0,11.0.17)","[10.0.0,10.0.17)","[9.3.0,9.4.53)"]},{"dependency-name":"org.eclipse.jetty.http2:http2-hpack","patched-versions":[],"unaffected-versions":[],"affected-versions":["[9.3.0,9.4.52]","[11.0.0,11.0.15]","[10.0.0,10.0.15]"]},{"dependency-name":"org.neo4j:neo4j-cypher","patched-versions":[],"unaffected-versions":[],"affected-versions":["[5.0.0,5.19.0)"]},{"dependency-name":"org.xerial.snappy:snappy-java","patched-versions":[],"unaffected-versions":[],"affected-versions":["(,1.1.10.0]"]},{"dependency-name":"org.xerial.snappy:snappy-java","patched-versions":[],"unaffected-versions":[],"affected-versions":["(,1.1.10.3]"]}],"security-updates-only":true,"source":{"provider":"github","repo":"derivo-company/neo2rdf","branch":null,"api-endpoint":"https://api.github.com/","hostname":"github.com","directories":["/home/runner/work/neo2rdf/neo2rdf"]},"updating-a-pull-request":false,"update-subdependencies":false,"vendor-dependencies":false,"repo-private":false}}
2024-09-26T16:39:13.5343559Z   proxy | 2024/09/26 16:39:13 [002] GET https://github.com:443/derivo-company/neo2rdf/info/refs?service=git-upload-pack
2024-09-26T16:39:13.5345721Z 2024/09/26 16:39:13 [002] * authenticating git server request (host: github.com)
2024-09-26T16:39:13.7219192Z   proxy | 2024/09/26 16:39:13 [002] 200 https://github.com:443/derivo-company/neo2rdf/info/refs?service=git-upload-pack
2024-09-26T16:39:13.7542399Z   proxy | 2024/09/26 16:39:13 [004] POST https://github.com:443/derivo-company/neo2rdf/git-upload-pack
2024-09-26T16:39:13.7544255Z 2024/09/26 16:39:13 [004] * authenticating git server request (host: github.com)
2024-09-26T16:39:13.8837141Z   proxy | 2024/09/26 16:39:13 [004] 200 https://github.com:443/derivo-company/neo2rdf/git-upload-pack
2024-09-26T16:39:13.9177360Z   proxy | 2024/09/26 16:39:13 [006] POST https://github.com:443/derivo-company/neo2rdf/git-upload-pack
2024-09-26T16:39:13.9178636Z 2024/09/26 16:39:13 [006] * authenticating git server request (host: github.com)
2024-09-26T16:39:14.0748320Z   proxy | 2024/09/26 16:39:14 [006] 200 https://github.com:443/derivo-company/neo2rdf/git-upload-pack
2024-09-26T16:39:14.3243347Z updater | 2024/09/26 16:39:14 ERROR <job_891552662> Error during file fetching; aborting: /home/runner/work/neo2rdf/neo2rdf/pom.xml not found
2024-09-26T16:39:14.6279547Z   proxy | 2024/09/26 16:39:14 [008] POST /update_jobs/891552662/record_update_job_error
2024-09-26T16:39:14.8757949Z   proxy | 2024/09/26 16:39:14 [008] 204 /update_jobs/891552662/record_update_job_error
2024-09-26T16:39:14.9239812Z   proxy | 2024/09/26 16:39:14 [010] PATCH /update_jobs/891552662/mark_as_processed
2024-09-26T16:39:15.0661685Z   proxy | 2024/09/26 16:39:15 [010] 204 /update_jobs/891552662/mark_as_processed
2024-09-26T16:39:15.0684416Z updater | 2024/09/26 16:39:15 INFO <job_891552662> Finished job processing
2024-09-26T16:39:15.0705083Z updater | 2024/09/26 16:39:15 INFO Results:
2024-09-26T16:39:15.0709832Z Dependabot encountered '1' error(s) during execution, please check the logs for more details.
2024-09-26T16:39:15.0711076Z +---------------------------+
2024-09-26T16:39:15.0711837Z |          Errors           |
2024-09-26T16:39:15.0712968Z +---------------------------+
2024-09-26T16:39:15.0715364Z | dependency_file_not_found |
2024-09-26T16:39:15.0716909Z +---------------------------+
2024-09-26T16:39:15.1857431Z Failure running container 48e14a3d9fa03eb19235dd84c7616e7beb626bc2d9ee3f001923836999cafef8
2024-09-26T16:39:15.2039973Z Cleaned up container 48e14a3d9fa03eb19235dd84c7616e7beb626bc2d9ee3f001923836999cafef8
2024-09-26T16:39:15.2136328Z   proxy | 2024/09/26 16:39:15 Posting metrics to remote API endpoint
2024-09-26T16:39:15.2138860Z   proxy | 2024/09/26 16:39:15 0/5 calls cached (0%)
2024-09-26T16:39:15.9441589Z ##[error]Dependabot encountered an error performing the update

Error: The updater encountered one or more errors.

For more information see: https://github.com/derivo-company/neo2rdf/network/updates/891552662 (write access to the repository is required to view the log)
2024-09-26T16:39:15.9450996Z 🤖 ~ finished: error reported to Dependabot ~
2024-09-26T16:39:15.9534324Z Post job cleanup.
2024-09-26T16:39:16.0902815Z Cleaning up orphan processes

Smallest manifest that reproduces the issue

No response

MaximilianWenzel commented 1 month ago

I created a separate repository with a pom.xml file in the root directory in order to try to reproduce the error, but the dependabot security updates apparently work (link):

grafik

MaximilianWenzel commented 1 month ago

I compared the job configuration of

a successful "Dependabot version update" job in the neo2rdf repository
the errorneous "Dependabot security update" job in the neo2rdf repository
the "Dependabot security update" job of the minimum working Java Maven project repository with pom.xml file in root directory

This is probably the relevant difference:

Excerpt of security update job config (job not successful, autoconfigured by GitHub)

"source": {
    "provider": "github",
    "repo": "derivo-company/neo2rdf",
    "branch": null,
    "api-endpoint": "https://api.github.com/",
    "hostname": "github.com",
    "directories": [
        "/home/runner/work/neo2rdf/neo2rdf"
    ]
}

Excerpt of version update job (job successful, manually configured in .github/dependabot.yml)

"source": {
    "provider": "github",
    "repo": "derivo-company/neo2rdf",
    "branch": null,
    "directory": "/.",
    "api-endpoint": "https://api.github.com/",
    "hostname": "github.com"
}

Security update of minimum working Java Maven project repository (job successful, autoconfigured by GitHub)

"source": {
    "provider": "github",
    "repo": "MaximilianWenzel/java-security-update-root",
    "branch": null,
    "api-endpoint": "https://api.github.com/",
    "hostname": "github.com",
    "directories": [
        "/"
    ]
}

Apparently, somehow the auto configuration in the "neo2rdf" repository went wrong.

kessiler commented 1 month ago

I'm encountering the same issue in one of my repositories. It seems like the root directory isn't being properly set up, but I haven't been able to find a way to fix it.

MaximilianWenzel commented 1 month ago

Thanks! It already helps to know that others encounter this issue as well sometimes.

dependabot / dependabot-core