Closed eoftedal closed 10 years ago
Erlend,
What version of the Jenkins plugin are you running? The current release is 1.0.2 and incorporates Dependency-Check 1.0.2.
I'm using 1.0.2
Erlend,
Any chance you could tell me what JAR files were being scanned so that I can try and replicate the bug on my side?
--Jeremy
On Wed, Oct 2, 2013 at 5:46 AM, Erlend Oftedal notifications@github.comwrote:
ERROR: Processing failed due to a bug in the code. Please report this to jenkinsci-users@googlegroups.com java.lang.NullPointerException at org.owasp.dependencycheck.data.cpe.CpeIndexReader.search(CpeIndexReader.java:122) at org.owasp.dependencycheck.analyzer.CPEAnalyzer.searchCPE(CPEAnalyzer.java:272) at org.owasp.dependencycheck.analyzer.CPEAnalyzer.determineCPE(CPEAnalyzer.java:172) at org.owasp.dependencycheck.analyzer.CPEAnalyzer.analyze(CPEAnalyzer.java:485) at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:313) at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.executeDependencyCheck(DependencyCheckExecutor.java:85) at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.performBuild(DependencyCheckExecutor.java:66) at org.jenkinsci.plugins.DependencyCheck.DependencyCheckBuilder$1.call(DependencyCheckBuilder.java:137) at org.jenkinsci.plugins.DependencyCheck.DependencyCheckBuilder$1.call(DependencyCheckBuilder.java:134) at hudson.remoting.LocalChannel.call(LocalChannel.java:45) at org.jenkinsci.plugins.DependencyCheck.DependencyCheckBuilder.perform(DependencyCheckBuilder.java:134) at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20) at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:782) at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.build(MavenModuleSetBuild.java:876) at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.doRun(MavenModuleSetBuild.java:647) at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:567) at hudson.model.Run.execute(Run.java:1603) at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:506) at hudson.model.ResourceController.execute(ResourceController.java:88) at hudson.model.Executor.run(Executor.java:246)
— Reply to this email directly or view it on GitHubhttps://github.com/jeremylong/DependencyCheck/issues/23 .
Trying to deploy the latest version to check the repo manually from CLI, but cannot build:
Oct 08, 2013 8:49:44 AM org.owasp.dependencycheck.data.nvdcve.xml.DatabaseUpdater update
INFO: Downloading http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2008.xml
Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 2.733 sec <<< FAILURE!
testUpdate(org.owasp.dependencycheck.data.nvdcve.xml.DatabaseUpdaterIntegrationTest) Time elapsed: 2.733 sec <<< ERROR!
java.lang.NoSuchMethodError: org.owasp.dependencycheck.utils.Downloader.fetchFile(Ljava/net/URL;Ljava/io/File;Z)V
at org.owasp.dependencycheck.data.nvdcve.xml.DatabaseUpdater.update(DatabaseUpdater.java:129)
at org.owasp.dependencycheck.data.nvdcve.xml.DatabaseUpdaterIntegrationTest.testUpdate(DatabaseUpdaterIntegrationTest.java:61)
The other test downloading http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2002.xml works though... Strange
Erlend,
I will look into this, but I normally clean, delete everything in my local repo, and then 'mvn install' prior to pushing. Hopefully I just had a slight oversight on my last push. Regardless, you can download the command line version from bintray; information on usage of the CLI can be found on the github page: http://jeremylong.github.io/DependencyCheck/dependency-check-cli/installation.html
download the compiled CLI from: http://dl.bintray.com/jeremy-long/owasp/dependency-check-1.0.2-release.zip
--Jeremy
On Tue, Oct 8, 2013 at 4:00 AM, Erlend Oftedal notifications@github.comwrote:
Trying to deploy the latest version to check the repo manually from CLI, but cannot build:
Oct 08, 2013 8:49:44 AM org.owasp.dependencycheck.data.nvdcve.xml.DatabaseUpdater update INFO: Downloading http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2008.xml Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 2.733 sec <<< FAILURE! testUpdate(org.owasp.dependencycheck.data.nvdcve.xml.DatabaseUpdaterIntegrationTest) Time elapsed: 2.733 sec <<< ERROR! java.lang.NoSuchMethodError: org.owasp.dependencycheck.utils.Downloader.fetchFile(Ljava/net/URL;Ljava/io/File;Z)V at org.owasp.dependencycheck.data.nvdcve.xml.DatabaseUpdater.update(DatabaseUpdater.java:129) at org.owasp.dependencycheck.data.nvdcve.xml.DatabaseUpdaterIntegrationTest.testUpdate(DatabaseUpdaterIntegrationTest.java:61)
The other test downloading http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2002.xml works though... Strange
— Reply to this email directly or view it on GitHubhttps://github.com/jeremylong/DependencyCheck/issues/23#issuecomment-25871155 .
I built it with mvn install -DskipTests, and got 1.0.3 CLI running. During the scan of my app, it crashed on a .zip-file which isn't a library (not a .jar).
Btw, I recloned to make sure I had a clean version, and now it builds without any issues, so that was some leftover data on my side, I guess. Now it builds without errors. So no need to look into that.
The only problem is the crash on scanning zip files.
Any chance you could share the zip?
Jeremy On Oct 8, 2013 6:21 AM, "Erlend Oftedal" notifications@github.com wrote:
Btw, I recloned to make sure I had a clean version, and now it builds without any issues, so that was some leftover data on my side, I guess. Now it builds without errors. So no need to look into that.
The only problem is the crash on scanning zip files.
— Reply to this email directly or view it on GitHubhttps://github.com/jeremylong/DependencyCheck/issues/23#issuecomment-25888812 .
Actually is says it cannot find a .zip that's within a .zip. Not sure what's going on there. I can send it to you via email.
This is the bug I see:
Oct 09, 2013 7:17:54 AM org.owasp.dependencycheck.analyzer.ArchiveAnalyzer extractFiles
WARNING: null
org.owasp.dependencycheck.analyzer.AnalysisException: Unable to find file 'somefile.zip'.
at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.extractFiles(ArchiveAnalyzer.java:287)
at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.analyze(ArchiveAnalyzer.java:185)
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:313)
at org.owasp.dependencycheck.App.runScan(App.java:146)
at org.owasp.dependencycheck.App.run(App.java:123)
at org.owasp.dependencycheck.App.main(App.java:72)
Caused by: java.io.FileNotFoundException:/var/folders/9d/k_2v_tpn3jgdq9t7hrj2ycnn5p98bd/T/check7874399254683943295tmp/22/somefile.zip (No such file or directory)
at java.io.FileOutputStream.open(Native Method)
at java.io.FileOutputStream.<init>(FileOutputStream.java:212)
at java.io.FileOutputStream.<init>(FileOutputStream.java:165)
at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.extractFiles(ArchiveAnalyzer.java:277)
... 5 more
ATM, I am unable to replicate this. However, I have added code to 1.0.3-SNAPSHOT that attempts to detect the situation and re-instantiate that object.
Just upgraded to 1.0.4
[DependencyCheck] OWASP Dependency-Check Plugin v1.0.4
[DependencyCheck] Executing Dependency-Check analysis with the following options:
[DependencyCheck] -name = appp_nyutvikling_dependency_check
[DependencyCheck] -scanPath = /var/data/jenkins/jobs/app_nyutvikling_depcheck/workspace
[DependencyCheck] -outputDirectory = /var/data/jenkins/jobs/app_nyutvikling_depcheck/workspace
[DependencyCheck] -dataDirectory = /var/data/jenkins/jobs/app_nyutvikling_depcheck/workspace/dependency-check-data
[DependencyCheck] -showEvidence = false
[DependencyCheck] -format = XML
[DependencyCheck] -autoUpdate = true
[DependencyCheck] Scanning: /var/data/jenkins/jobs/app_nyutvikling_depcheck/workspace
[DependencyCheck] Analyzing Dependencies
ERROR: Processing failed due to a bug in the code. Please report this to jenkinsci-users@googlegroups.com
java.lang.NullPointerException
at org.owasp.dependencycheck.data.cpe.BaseIndex.close(BaseIndex.java:69)
at org.owasp.dependencycheck.data.cpe.CpeIndexReader.close(CpeIndexReader.java:108)
at org.owasp.dependencycheck.data.cpe.CpeIndexReader.search(CpeIndexReader.java:136)
at org.owasp.dependencycheck.analyzer.CPEAnalyzer.searchCPE(CPEAnalyzer.java:272)
at org.owasp.dependencycheck.analyzer.CPEAnalyzer.determineCPE(CPEAnalyzer.java:172)
at org.owasp.dependencycheck.analyzer.CPEAnalyzer.analyze(CPEAnalyzer.java:488)
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:319)
at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.executeDependencyCheck(DependencyCheckExecutor.java:95)
at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.performBuild(DependencyCheckExecutor.java:72)
at org.jenkinsci.plugins.DependencyCheck.DependencyCheckBuilder$1.call(DependencyCheckBuilder.java:168)
at org.jenkinsci.plugins.DependencyCheck.DependencyCheckBuilder$1.call(DependencyCheckBuilder.java:165)
at hudson.remoting.LocalChannel.call(LocalChannel.java:45)
at org.jenkinsci.plugins.DependencyCheck.DependencyCheckBuilder.perform(DependencyCheckBuilder.java:165)
at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:781)
at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.build(MavenModuleSetBuild.java:886)
at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.doRun(MavenModuleSetBuild.java:654)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:562)
at hudson.model.Run.execute(Run.java:1665)
at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:507)
at hudson.model.ResourceController.execute(ResourceController.java:88)
at hudson.model.Executor.run(Executor.java:230)
project=hudson.maven.MavenModuleSet@4bd3371f[app_nyutvikling_dependency_check]
project.getModules()=[]
project.getRootModule()=null
FATAL: null
java.lang.NullPointerException
at org.owasp.dependencycheck.data.cpe.BaseIndex.close(BaseIndex.java:69)
at org.owasp.dependencycheck.data.cpe.CpeIndexReader.close(CpeIndexReader.java:108)
at org.owasp.dependencycheck.data.cpe.CpeIndexReader.search(CpeIndexReader.java:136)
at org.owasp.dependencycheck.analyzer.CPEAnalyzer.searchCPE(CPEAnalyzer.java:272)
at org.owasp.dependencycheck.analyzer.CPEAnalyzer.determineCPE(CPEAnalyzer.java:172)
at org.owasp.dependencycheck.analyzer.CPEAnalyzer.analyze(CPEAnalyzer.java:488)
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:319)
at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.executeDependencyCheck(DependencyCheckExecutor.java:95)
at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.performBuild(DependencyCheckExecutor.java:72)
at org.jenkinsci.plugins.DependencyCheck.DependencyCheckBuilder$1.call(DependencyCheckBuilder.java:168)
at org.jenkinsci.plugins.DependencyCheck.DependencyCheckBuilder$1.call(DependencyCheckBuilder.java:165)
at hudson.remoting.LocalChannel.call(LocalChannel.java:45)
at org.jenkinsci.plugins.DependencyCheck.DependencyCheckBuilder.perform(DependencyCheckBuilder.java:165)
at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:781)
at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.build(MavenModuleSetBuild.java:886)
at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.doRun(MavenModuleSetBuild.java:654)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:562)
at hudson.model.Run.execute(Run.java:1665)
at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:507)
at hudson.model.ResourceController.execute(ResourceController.java:88)
at hudson.model.Executor.run(Executor.java:230)
Might be a proxy issue actually. Let me check
@jeremylong How do I set a proxy for the jenkins plugin?
Steve,
I'm not seeing a configuration option in the jenkins plugin to set the proxy url/port? Was one added and I can't find it? Or where you just thinking people would use the environment variables via -Dproxy.url and -Dproxy.port?
--Jeremy
On Sun, Oct 27, 2013 at 8:19 AM, Erlend Oftedal notifications@github.comwrote:
@jeremylong https://github.com/jeremylong How do I set a proxy for the jenkins plugin?
— Reply to this email directly or view it on GitHubhttps://github.com/jeremylong/DependencyCheck/issues/23#issuecomment-27167943 .
The proxy settings have not yet been added to the Jenkins plugin yet. I was actually waiting until I implemented proxy authentication in dependency-check-core before adding proxy support to the Jenkins plugin.
I just pushed support for proxy authentication to dependency-check-core, the command-line interface, along with the Ant task and Maven plugin. These will be available in the next release.
As for the Jenkins plugin, the proxy settings are global and are configured in the Jenkins Plugin Manager under the Advanced tab. This configuration supports a host, port, username and password.
Assuming the next release of Dependency-Check is 1.0.5, then that is the version of the Jenkins plugin that will support proxy configuration.
On Sun, Oct 27, 2013 at 7:30 AM, Jeremy Long jeremy.long@gmail.com wrote:
Steve,
I'm not seeing a configuration option in the jenkins plugin to set the proxy url/port? Was one added and I can't find it? Or where you just thinking people would use the environment variables via -Dproxy.url and -Dproxy.port?
--Jeremy
On Sun, Oct 27, 2013 at 8:19 AM, Erlend Oftedal notifications@github.comwrote:
@jeremylong https://github.com/jeremylong How do I set a proxy for the jenkins plugin?
— Reply to this email directly or view it on GitHubhttps://github.com/jeremylong/DependencyCheck/issues/23#issuecomment-27167943 .
I will finish an update to support tar.gz files and then push 1.0.5. I'm hoping I can get to this today, but due to other obligations this may end up getting postponed until next weekend.
Thanks Steve!
--Jeremy
On Sun, Oct 27, 2013 at 1:43 PM, Steve Springett steve@springett.us wrote:
The proxy settings have not yet been added to the Jenkins plugin yet. I was actually waiting until I implemented proxy authentication in dependency-check-core before adding proxy support to the Jenkins plugin.
I just pushed support for proxy authentication to dependency-check-core, the command-line interface, along with the Ant task and Maven plugin. These will be available in the next release.
As for the Jenkins plugin, the proxy settings are global and are configured in the Jenkins Plugin Manager under the Advanced tab. This configuration supports a host, port, username and password.
Assuming the next release of Dependency-Check is 1.0.5, then that is the version of the Jenkins plugin that will support proxy configuration.
On Sun, Oct 27, 2013 at 7:30 AM, Jeremy Long jeremy.long@gmail.comwrote:
Steve,
I'm not seeing a configuration option in the jenkins plugin to set the proxy url/port? Was one added and I can't find it? Or where you just thinking people would use the environment variables via -Dproxy.url and -Dproxy.port?
--Jeremy
On Sun, Oct 27, 2013 at 8:19 AM, Erlend Oftedal <notifications@github.com
wrote:
@jeremylong https://github.com/jeremylong How do I set a proxy for the jenkins plugin?
— Reply to this email directly or view it on GitHubhttps://github.com/jeremylong/DependencyCheck/issues/23#issuecomment-27167943 .
Ok, so the NullPointerException from my "Just upgraded to 1.0.4" occurs because it can't connect and download the files due to lack of proxy. And the zip-file doesn't cause problems anymore.
I guess you can close this bug, but I would suggest adding a better error message when it can't initially download the vulnerability database.
Thanks for looking into this though! I managed to make it work in jenkins by first running the cli version with proxy settings and then pointing jenkins to the same data-directory with updates disabled.
Thanks for the information. I will definitely improve the error messages for this situation. Also, when 1.0.5 is pushed (hopefully this weekend) you should be able to set the proxy in the Jenkins configuration. You currently can set the proxy information for earlier versions by setting environment/system variables for "proxy.url" and "proxy.port".
Best Regards,
Jeremy
On Tue, Oct 29, 2013 at 8:47 AM, Erlend Oftedal notifications@github.comwrote:
Ok, so the NullPointerException from my "Just upgraded to 1.0.4" occurs because it can't connect and download the files due to lack of proxy. And the zip-file doesn't cause problems anymore.
I guess you can close this bug, but I would suggest adding a better error message when it can't initially download the vulnerability database.
Thanks for looking into this though! I managed to make it work in jenkins by first running the cli version with proxy settings and then pointing jenkins to the same data-directory.
— Reply to this email directly or view it on GitHubhttps://github.com/jeremylong/DependencyCheck/issues/23#issuecomment-27299601 .
@eoftedal A minor release of the Jenkins plugin was just pushed out today. Version 1.0.4.1 supports the proxy server settings in Dependency-Check core v1.0.4. It's a global configuration in Jenkins so all builds regardless of where they're running on (master or slave) will use the settings. The proxy settings are in a weird place though. They're in the manage plugins page under the advanced tab. Currently only hostname and port are supported proxy parameters. Dependency-Check 1.0.5 along with the Jenkins plugin will support proxy authentication as well.
@stevespringett Thanks! I'll take a look
The core 1.0.5 library has been published and the jenkins plugin should be updated shortly by Steve. The NPE should be solved in the core library.
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.