search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.31k stars 1.26k forks source link

Cache properties `dependencycheck-cache.properties` could not be found #3146

Closed mebigfatguy closed 3 years ago

mebigfatguy commented 3 years ago

I am trying to update from 6.0.5 to 6.1.1, and am getting the following error: I see that it's from

try (InputStream in = FileUtils.getResourceAsStream(CACHE_PROPERTIES)) {

but i don't see it in the jar file (at least not the main one). Is this something i'm supposed to add to the classpath myself?

[dependency-check] Unable to create an Input Stream for dependencycheck.properties

[2021-02-17T04:23:08.286Z] [dependency-check] Did not find settings file 'dependencycheck.properties'.

[2021-02-17T04:23:08.286Z] [dependency-check] Unable to create an Input Stream for dependencycheck-cache.properties

[2021-02-17T04:23:08.286Z] 

[2021-02-17T04:23:08.286Z] BUILD FAILED

[2021-02-17T04:23:08.286Z] /scratch/gbuora/workspace/jenkins/workspace/Microservice_Cluster/build.xml:381: java.lang.RuntimeException: Cache properties `dependencycheck-cache.properties` could not be found

[2021-02-17T04:23:08.286Z]  at org.owasp.dependencycheck.data.cache.DataCacheFactory.<init>(DataCacheFactory.java:99)

[2021-02-17T04:23:08.286Z]  at org.owasp.dependencycheck.analyzer.CentralAnalyzer.initialize(CentralAnalyzer.java:123)

[2021-02-17T04:23:08.286Z]  at org.owasp.dependencycheck.Engine.lambda$loadAnalyzers$1(Engine.java:226)
chhil commented 3 years ago

I have a similar issue.

Previously had 6.0.2 and it started failing and there was a mention in the log to use 6.1.1 We use this via an ant task in our CI teamcity builds. The zip file for 6.1.1 was downloaded and the existing folder structure was removed and the structure from the new zip file was added (the folder structure was the same with updated jars in them).

Ignoring the slf4j binding error, dependencycheck.properties and dependencycheck-cache.properties were not found.

[18:30:34][Step 3/4] dependency-check
[18:30:34][dependency-check] dependency-check

[18:30:34][dependency-check] SLF4J: Found binding in [jar:file:/C:/BuildAgent/work/5f5ab115e3b0c048/sonarqube/dependency-check-ant/lib/dependency-check-ant-6.1.1.jar!/org/slf4j/impl/StaticLoggerBinder.class]
[18:30:34][dependency-check] SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
[18:30:34][dependency-check] SLF4J: Actual binding is of type [org.owasp.dependencycheck.ant.logging.AntLoggerFactory]
[18:30:34][dependency-check] Unable to create an Input Stream for dependencycheck.properties
[18:30:34][dependency-check] java.io.FileNotFoundException: dependencycheck.properties (The system cannot find the file specified)
    at java.io.FileInputStream.open0(Native Method)
    at java.io.FileInputStream.open(FileInputStream.java:195)
    at java.io.FileInputStream.<init>(FileInputStream.java:138)
    at java.io.FileInputStream.<init>(FileInputStream.java:93)
    at org.owasp.dependencycheck.utils.FileUtils.getResourceAsStream(FileUtils.java:169)
    at org.owasp.dependencycheck.utils.Settings.initialize(Settings.java:740)
    at org.owasp.dependencycheck.utils.Settings.<init>(Settings.java:710)
    at org.owasp.dependencycheck.taskdefs.Purge.populateSettings(Purge.java:135)
    at org.owasp.dependencycheck.taskdefs.Update.populateSettings(Update.java:400)
    at org.owasp.dependencycheck.taskdefs.Check.populateSettings(Check.java:1815)
    at org.owasp.dependencycheck.taskdefs.Check.execute(Check.java:1723)
    at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:293)
    at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106)
    at org.apache.tools.ant.Task.perform(Task.java:352)
    at org.apache.tools.ant.Target.execute(Target.java:437)
    at org.apache.tools.ant.Target.performTasks(Target.java:458)
    at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1405)
    at org.apache.tools.ant.Project.executeTarget(Project.java:1376)
    at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
    at org.apache.tools.ant.Project.executeTargets(Project.java:1260)
    at org.apache.tools.ant.Main.runBuild(Main.java:857)
    at org.apache.tools.ant.Main.startAnt(Main.java:236)
    at org.apache.tools.ant.launch.Launcher.run(Launcher.java:286)
    at org.apache.tools.ant.launch.Launcher.main(Launcher.java:112)
[18:30:34][dependency-check] Did not find settings file 'dependencycheck.properties'.
[18:30:35][dependency-check] Unable to create an Input Stream for dependencycheck-cache.properties
[18:30:35][dependency-check] java.io.FileNotFoundException: dependencycheck-cache.properties (The system cannot find the file specified)
    at java.io.FileInputStream.open0(Native Method)
    at java.io.FileInputStream.open(FileInputStream.java:195)
    at java.io.FileInputStream.<init>(FileInputStream.java:138)
    at java.io.FileInputStream.<init>(FileInputStream.java:93)
    at org.owasp.dependencycheck.utils.FileUtils.getResourceAsStream(FileUtils.java:169)
    at org.owasp.dependencycheck.data.cache.DataCacheFactory.<init>(DataCacheFactory.java:97)
    at org.owasp.dependencycheck.analyzer.CentralAnalyzer.initialize(CentralAnalyzer.java:123)
    at org.owasp.dependencycheck.Engine.lambda$loadAnalyzers$1(Engine.java:226)
    at java.util.ArrayList.forEach(ArrayList.java:1259)
    at org.owasp.dependencycheck.Engine.loadAnalyzers(Engine.java:225)
    at org.owasp.dependencycheck.Engine.initializeEngine(Engine.java:192)
    at org.owasp.dependencycheck.Engine.<init>(Engine.java:181)
    at org.owasp.dependencycheck.Engine.<init>(Engine.java:166)
    at org.owasp.dependencycheck.taskdefs.Check.execute(Check.java:1724)
    at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:293)
    at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106)
    at org.apache.tools.ant.Task.perform(Task.java:352)
    at org.apache.tools.ant.Target.execute(Target.java:437)
    at org.apache.tools.ant.Target.performTasks(Target.java:458)
    at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1405)
    at org.apache.tools.ant.Project.executeTarget(Project.java:1376)
    at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
    at org.apache.tools.ant.Project.executeTargets(Project.java:1260)
    at org.apache.tools.ant.Main.runBuild(Main.java:857)
    at org.apache.tools.ant.Main.startAnt(Main.java:236)
    at org.apache.tools.ant.launch.Launcher.run(Launcher.java:286)
    at org.apache.tools.ant.launch.Launcher.main(Launcher.java:112)
[18:30:35][dependency-check] java.lang.RuntimeException: Cache properties `dependencycheck-cache.properties` could not be found
cstsw commented 3 years ago

Same for me since I upgraded dependency-check-ant from 6.1.0 to 6.1.1.

My stacktrace is slightly different from chhil's:

[dependency-check] Unable to create an Input Stream for dependencycheck.properties
[dependency-check] Did not find settings file 'dependencycheck.properties'.
[dependency-check] Unable to create an Input Stream for dependencycheck-cache.properties

<Path-to>\build.xml:675: java.lang.RuntimeException: Cache properties `dependencycheck-cache.properties` could not be found
        at org.owasp.dependencycheck.data.cache.DataCacheFactory.<init>(DataCacheFactory.java:99)
        at org.owasp.dependencycheck.analyzer.CentralAnalyzer.initialize(CentralAnalyzer.java:123)
        at org.owasp.dependencycheck.Engine.lambda$loadAnalyzers$1(Engine.java:226)
        at java.util.ArrayList.forEach(ArrayList.java:1249)
        at org.owasp.dependencycheck.Engine.loadAnalyzers(Engine.java:225)
        at org.owasp.dependencycheck.Engine.initializeEngine(Engine.java:192)
        at org.owasp.dependencycheck.Engine.<init>(Engine.java:181)
        at org.owasp.dependencycheck.Engine.<init>(Engine.java:166)
        at org.owasp.dependencycheck.taskdefs.Check.execute(Check.java:1724)
        at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292)
        at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:99)
        at org.apache.tools.ant.Task.perform(Task.java:350)
        at org.apache.tools.ant.Target.execute(Target.java:449)
        at org.apache.tools.ant.Target.performTasks(Target.java:470)
        at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1401)
        at org.apache.tools.ant.Project.executeTarget(Project.java:1374)
        at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
        at org.apache.tools.ant.Project.executeTargets(Project.java:1264)
        at org.apache.tools.ant.Main.runBuild(Main.java:827)
        at org.apache.tools.ant.Main.startAnt(Main.java:223)
        at org.apache.tools.ant.launch.Launcher.run(Launcher.java:284)
        at org.apache.tools.ant.launch.Launcher.main(Launcher.java:101)

The difference is, that in my case no exception is not thrown in FileUtils.getResourceAsStream. Rather, the InputStream returned by that method is null, resulting in the exception to be thrown in DataCacheFactory two lines later.

chhil commented 3 years ago

@cstsw Do you perhaps have some property in your build.xml since the error is pointing to a specific line in your build.xml?

cstsw commented 3 years ago

@chhil That is just the (last) line of the task definition in my ant script.

The full definition is as follows:

        <dependency-check reportoutputdirectory="${dir.reports.dc}"
                          autoupdate="true"
                          projectname="42"
                          reportformat="ALL"
                          datadirectory="${dependency-check.datadirectory}"
                          failonerror="false">                                                     <-- This is the line mentioned in the stacktrace -->
            <fileset dir="${basedir}/../${dir.libs}" includes="**/*.jar" />
            <fileset dir="${basedir}/.." includes="**/lib/**/*.jar" />
            <fileset dir="${basedir}" includes="**/lib/**/*.jar" />
            <suppressionfile path="${basedir}/${dir.project.build}/dependency-check-suppressions.xml" />
        </dependency-check>

Nothing special here, I think. Maybe the definition of a datadirectory and a suppressionsfile is not so common but I've used it for years this way.

To me it seems to be a classloading issue since the dependencycheck.properties and dependencycheck-cache.properties files are present in dependency-check-core-6.1.1.jar.

cstsw commented 3 years ago

@chhil The differences in our stacktraces may result from the fact, that I don't let my build fail if the dependency-check task fails (failonerror="false"). (This is due to the fact that I've included it in my nightly build and I dont't want it to fail just because some cve-database may not be downloadable once in a while. Jenkins marks my build as unstable when this happens so that I can react to it if dependency-check fails continuously.)

SarayuR commented 3 years ago

I have a Q, thought you guys might know. So I am trying to build Docker Image but it is failing at the step where it adds contents inside 'cli' folder, but looks like github code doesn't have anything inside 'cli'. Am I missing something here ?

**Dockerfile, line 22 :

ADD cli/target/dependency-check-${VERSION}-release.zip /

But there is no target/dependency-check-${VERSION}-release.zip folder under 'cli'**

jeremylong commented 3 years ago

@SarayuR see the answer in #3149.

The issue with 6.10 -> 6.11 appears to be around the change made to identify resources on the classpath is affecting the ant task. We removed the direct usage of Guava so the API calls changed...

jeremylong commented 3 years ago

Fix will be included in 6.1.2

chhil commented 3 years ago

@jeremylong

I built the dependency-check-ant-6.1.2-SNAPSHOT.jar and I still get the error so I assume it needs to be fixed and https://github.com/jeremylong/DependencyCheck/commit/bff06db46404386a2f80d60f27546c47e12edc0f is not the final fix?


[19:22:04][Step 3/4] dependency-check
[19:22:04][dependency-check] dependency-check
[19:22:04][dependency-check] SLF4J: Class path contains multiple SLF4J bindings.
[19:22:04][dependency-check] SLF4J: Found binding in [jar:file:/C:/BuildAgent/work/5f5ab115e3b0c048/sonarqube/dependency-check-ant/dependency-check-ant.jar!/org/slf4j/impl/StaticLoggerBinder.class]
[19:22:04][dependency-check] SLF4J: Found binding in [jar:file:/C:/BuildAgent/work/5f5ab115e3b0c048/sonarqube/dependency-check-ant/lib/dependency-check-ant-6.1.2-SNAPSHOT.jar!/org/slf4j/impl/StaticLoggerBinder.class]
[19:22:04][dependency-check] SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
[19:22:04][dependency-check] SLF4J: Actual binding is of type [org.owasp.dependencycheck.ant.logging.AntLoggerFactory]
[19:22:05][dependency-check] Unable to create an Input Stream for dependencycheck.properties
[19:22:05][dependency-check] java.io.FileNotFoundException: dependencycheck.properties (The system cannot find the file specified)
    at java.io.FileInputStream.open0(Native Method)
    at java.io.FileInputStream.open(FileInputStream.java:195)
    at java.io.FileInputStream.<init>(FileInputStream.java:138)
    at java.io.FileInputStream.<init>(FileInputStream.java:93)
    at org.owasp.dependencycheck.utils.FileUtils.getResourceAsStream(FileUtils.java:169)
    at org.owasp.dependencycheck.utils.Settings.initialize(Settings.java:740)
    at org.owasp.dependencycheck.utils.Settings.<init>(Settings.java:710)
    at org.owasp.dependencycheck.taskdefs.Purge.populateSettings(Purge.java:135)
    at org.owasp.dependencycheck.taskdefs.Update.populateSettings(Update.java:400)
    at org.owasp.dependencycheck.taskdefs.Check.populateSettings(Check.java:1815)
    at org.owasp.dependencycheck.taskdefs.Check.execute(Check.java:1723)
    at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:293)
    at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106)
    at org.apache.tools.ant.Task.perform(Task.java:352)
    at org.apache.tools.ant.Target.execute(Target.java:437)
    at org.apache.tools.ant.Target.performTasks(Target.java:458)
    at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1405)
    at org.apache.tools.ant.Project.executeTarget(Project.java:1376)
    at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
    at org.apache.tools.ant.Project.executeTargets(Project.java:1260)
    at org.apache.tools.ant.Main.runBuild(Main.java:857)
    at org.apache.tools.ant.Main.startAnt(Main.java:236)
    at org.apache.tools.ant.launch.Launcher.run(Launcher.java:286)
    at org.apache.tools.ant.launch.Launcher.main(Launcher.java:112)
[19:22:05][dependency-check] Did not find settings file 'dependencycheck.properties'.
[19:22:05][dependency-check] Unable to create an Input Stream for dependencycheck-cache.properties
[19:22:05][dependency-check] java.io.FileNotFoundException: dependencycheck-cache.properties (The system cannot find the file specified)
    at java.io.FileInputStream.open0(Native Method)
    at java.io.FileInputStream.open(FileInputStream.java:195)
    at java.io.FileInputStream.<init>(FileInputStream.java:138)
    at java.io.FileInputStream.<init>(FileInputStream.java:93)
    at org.owasp.dependencycheck.utils.FileUtils.getResourceAsStream(FileUtils.java:169)
    at org.owasp.dependencycheck.data.cache.DataCacheFactory.<init>(DataCacheFactory.java:97)
    at org.owasp.dependencycheck.analyzer.CentralAnalyzer.initialize(CentralAnalyzer.java:123)
    at org.owasp.dependencycheck.Engine.lambda$loadAnalyzers$1(Engine.java:226)
    at java.util.ArrayList.forEach(ArrayList.java:1259)
    at org.owasp.dependencycheck.Engine.loadAnalyzers(Engine.java:225)
    at org.owasp.dependencycheck.Engine.initializeEngine(Engine.java:192)
    at org.owasp.dependencycheck.Engine.<init>(Engine.java:181)
    at org.owasp.dependencycheck.Engine.<init>(Engine.java:166)
    at org.owasp.dependencycheck.taskdefs.Check.execute(Check.java:1724)
    at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:293)
    at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106)
    at org.apache.tools.ant.Task.perform(Task.java:352)
    at org.apache.tools.ant.Target.execute(Target.java:437)
    at org.apache.tools.ant.Target.performTasks(Target.java:458)
    at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1405)
    at org.apache.tools.ant.Project.executeTarget(Project.java:1376)
    at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
    at org.apache.tools.ant.Project.executeTargets(Project.java:1260)
    at org.apache.tools.ant.Main.runBuild(Main.java:857)
    at org.apache.tools.ant.Main.startAnt(Main.java:236)
    at org.apache.tools.ant.launch.Launcher.run(Launcher.java:286)
    at org.apache.tools.ant.launch.Launcher.main(Launcher.java:112)
[19:22:05][dependency-check] java.lang.RuntimeException: Cache properties `dependencycheck-cache.properties` could not be found
jeremylong commented 3 years ago

@chhil I just reverted one additional change. Can you test again? Thanks!

chhil commented 3 years ago

I will try this a little later and revert back.

chhil commented 3 years ago

@jeremylong I confirm the issue has been fixed. Thank you.

Rebuilt the snapshot and tested.