Closed rmeleri closed 3 years ago
jeremylong
commented
3 years ago ODC has a timeout that was by default 30 minutes. I've seen a few reports of this issue recently so I just increased the timeout to 60 minutes. You can change this locally using:
set JAVA_OPTS=-Dodc.analysis.timeout=60
rmeleri
commented
3 years ago Tried that but it still gives the same problem. :/ When I use the -X flag for debug output it doesnt timeout, do you have any suggestions to why that may be?
Skoucail
commented
3 years ago We are experiencing the same issue. Our devops server automatically downloaded the 6.2.0 version (before it was using 6.1.6) And since then some (not all) of our projects experience this issue. Everything goes quick untill '[INFO] Finished False Positive Analyzer (0 seconds)' After that nothing. We didn't wait 1h yet, but i guess after 60min we will just get a timeout.
stefanscheidt
commented
3 years ago Same issue here after upgrade from 6.1.7 to 6.2.0.
stefanscheidt
commented
3 years ago We got this as last Maven debug output:
DEBUG] Begin Analysis of '/var/folders/f5/9hr0ck5n3pzgn6xmrwj610kh0000gp/T/dctempdcaa0b60-a6fd-44d1-b73e-d1a6590cbd29/check11288188695660540680tmp/43/pom.xml' (NVD CVE Analyzer)
[DEBUG] Cache miss for cpe:2.3:a:netty:netty:4.1.52:*:*:*:*:*:*:*After that we get after some time
org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error connecting to the database(unfortunately the debug log output is broken, I have to rerun it with --batch-mode tomorrow ...)
stefanscheidt
commented
3 years ago OK. Now the build continues, but fails with the issue reported in #3410 .
fcoene
commented
3 years ago We are experiencing the same issue as the original reporter (using ODC 6.2.0 release on Windows server 2016, via maven plugin). ODC hangs and fails if used without -X. But seems to finish and exit cleanly when using -X.
stefanscheidt
commented
3 years ago This morning (just now) I again have the problem of a stuck dependency check, this time executed via mvn --batch-mode --debug org.owasp:dependency-check-maven:check.
jeremylong
commented
3 years ago You can always increase this using:
set JAVA_OPTS=-Dodc.analysis.timeout=60or
set MAVEN_OPTS=-Dodc.analysis.timeout=60@jeremylong
I think for the Azure DevOps task the timeout is already set to 60min
But that doesn't solve the issue, in a working scenario where (in my case) the NVD CVE Analyzer takes less then a second.
In a not working pipeline it just keeps waiting and waiting untill it errors or I cancel the pipeline.
(This pipeline got canceled after 54min)
rmeleri
commented
3 years ago Have tried increasing the timeout to 60, 120 and 180 minutes but it doesnt fix the problem
fcoene
commented
3 years ago I don't see this as a timeout setting related issue, something changed from 6.1.6 to 6.2.0 that fully hangs ODC. Running "mvn org.owasp:dependency-check-maven:6.1.6:aggregate" completes successfully in 1minute. But "mvn org.owasp:dependency-check-maven:6.2.0:aggregate" on the same build just hangs and dies by timeout/CI tool killing.
alaincroisetiere
commented
3 years ago Similar issue here, i don't know why the AppData\Local\Temp\ folder is analyze. Pipeline got canceled too.
sellersj
commented
3 years ago I think that something is leaking db connections and the when it hits 8 used connections, dbcp2 waits forever until something else kills it.
I've reproduced this with a silly amount of dependencies (when testing a BOM). Maven plugin, issue only showed up with 6.2.0
I can see the issue if I set the connection pool to have a timeout in org.owasp.dependencycheck.data.nvdcve.DatabaseManager e.g.
// 1 minute
connectionPool.setMaxWaitMillis(1000 * 60 * 1);The issue "goes away" if I put no limit on the connection pool size.
connectionPool.setMaxTotal(-1);Silly amount of dependencies
<dependency><groupId>com.sun.activation</groupId><artifactId>javax.activation</artifactId><version>1.2.0</version></dependency>
<dependency><groupId>com.sun.xml.ws</groupId><artifactId>jaxws-ri</artifactId><version>2.3.3</version><type>pom</type></dependency>
<dependency><groupId>com.sun.xml.bind</groupId><artifactId>jaxb-impl</artifactId><version>2.2.11</version></dependency>
<dependency><groupId>com.sun.xml.bind</groupId><artifactId>jaxb-core</artifactId><version>2.2.11</version></dependency>
<dependency><groupId>javax.xml.bind</groupId><artifactId>jaxb-api</artifactId><version>2.2.11</version></dependency>
<dependency><groupId>org.glassfish.ha</groupId><artifactId>ha-api</artifactId><version>3.1.12</version></dependency>
<dependency><groupId>javax.transaction</groupId><artifactId>javax.transaction-api</artifactId><version>1.2.1</version></dependency>
<dependency><groupId>org.jvnet.mimepull</groupId><artifactId>mimepull</artifactId><version>1.9.13</version></dependency>
<dependency><groupId>com.sun.xml.fastinfoset</groupId><artifactId>FastInfoset</artifactId><version>1.2.18</version></dependency>
<dependency><groupId>com.sun.activation</groupId><artifactId>jakarta.activation</artifactId><version>1.2.2</version></dependency>
<dependency><groupId>com.sun.xml.messaging.saaj</groupId><artifactId>saaj-impl</artifactId><version>1.5.2</version></dependency>
<dependency><groupId>com.sun.xml.stream.buffer</groupId><artifactId>streambuffer</artifactId><version>1.5.9</version></dependency>
<dependency><groupId>org.glassfish.pfl</groupId><artifactId>pfl-basic</artifactId><version>4.1.0</version></dependency>
<dependency><groupId>org.glassfish.pfl</groupId><artifactId>pfl-tf</artifactId><version>4.1.0</version></dependency>
<dependency><groupId>org.glassfish.gmbal</groupId><artifactId>gmbal</artifactId><version>4.0.1</version></dependency>
<dependency><groupId>org.glassfish.external</groupId><artifactId>management-api</artifactId><version>3.2.2</version></dependency>
<dependency><groupId>com.sun.xml.ws</groupId><artifactId>policy</artifactId><version>2.7.10</version></dependency>
<dependency><groupId>com.sun.xml.ws</groupId><artifactId>jaxws-rt</artifactId><version>2.3.3</version></dependency>
<dependency><groupId>org.eclipse.persistence</groupId><artifactId>org.eclipse.persistence.moxy</artifactId><version>2.7.6</version></dependency>
<dependency><groupId>jakarta.persistence</groupId><artifactId>jakarta.persistence-api</artifactId><version>2.2.3</version></dependency>
<dependency><groupId>com.sun.xml.ws</groupId><artifactId>jaxws-eclipselink-plugin</artifactId><version>2.3.3</version></dependency>
<dependency><groupId>com.sun.xml.bind</groupId><artifactId>jaxb-jxc</artifactId><version>2.3.3</version></dependency>
<dependency><groupId>com.sun.xml.bind</groupId><artifactId>jaxb-xjc</artifactId><version>2.3.3</version></dependency>
<dependency><groupId>com.sun.xml.ws</groupId><artifactId>jaxws-tools</artifactId><version>2.3.3</version></dependency>
<dependency><groupId>com.sun.xml.ws</groupId><artifactId>sdo-eclipselink-plugin</artifactId><version>2.3.3</version></dependency>
<dependency><groupId>com.sun.mail</groupId><artifactId>jakarta.mail</artifactId><version>1.6.5</version></dependency>
<dependency><groupId>org.eclipse.persistence</groupId><artifactId>org.eclipse.persistence.asm</artifactId><version>2.7.6</version></dependency>
<dependency><groupId>org.eclipse.persistence</groupId><artifactId>org.eclipse.persistence.core</artifactId><version>2.7.6</version></dependency>
<dependency><groupId>jakarta.xml.ws</groupId><artifactId>jakarta.xml.ws-api</artifactId><version>2.3.3</version></dependency>
<dependency><groupId>org.eclipse.persistence</groupId><artifactId>commonj.sdo</artifactId><version>2.1.1</version></dependency>
<dependency><groupId>jakarta.xml.soap</groupId><artifactId>jakarta.xml.soap-api</artifactId><version>1.4.2</version></dependency>
<dependency><groupId>org.eclipse.persistence</groupId><artifactId>org.eclipse.persistence.sdo</artifactId><version>2.7.6</version></dependency>
<dependency><groupId>javax.annotation</groupId><artifactId>javax.annotation-api</artifactId><version>1.3.2</version></dependency>
<dependency><groupId>commons-configuration</groupId><artifactId>commons-configuration</artifactId><version>1.10</version></dependency>
<dependency><groupId>org.apache.commons</groupId><artifactId>commons-collections4</artifactId><version>4.4</version></dependency>
<dependency><groupId>commons-codec</groupId><artifactId>commons-codec</artifactId><version>1.15</version></dependency>
<dependency><groupId>commons-beanutils</groupId><artifactId>commons-beanutils</artifactId><version>1.9.4</version></dependency>
<dependency><groupId>jakarta.annotation</groupId><artifactId>jakarta.annotation-api</artifactId><version>1.3.5</version></dependency>
<dependency><groupId>jakarta.jws</groupId><artifactId>jakarta.jws-api</artifactId><version>2.1.0</version></dependency>
<dependency><groupId>jakarta.xml.bind</groupId><artifactId>jakarta.xml.bind-api</artifactId><version>2.3.3</version></dependency>
<dependency><groupId>org.apache.httpcomponents</groupId><artifactId>httpmime</artifactId><version>4.5.13</version></dependency>
<dependency><groupId>org.apache.httpcomponents</groupId><artifactId>httpcore</artifactId><version>4.4.14</version></dependency>
<dependency><groupId>org.apache.httpcomponents</groupId><artifactId>httpclient</artifactId><version>4.5.13</version></dependency>
<dependency><groupId>commons-fileupload</groupId><artifactId>commons-fileupload</artifactId><version>1.4</version></dependency>
<dependency><groupId>net.java.dev.jna</groupId><artifactId>jna-platform</artifactId><version>4.5.2</version></dependency>
<dependency><groupId>org.apache.httpcomponents</groupId><artifactId>httpclient-cache</artifactId><version>4.5.13</version></dependency>
<dependency><groupId>net.java.dev.jna</groupId><artifactId>jna</artifactId><version>4.5.2</version></dependency>
<dependency><groupId>org.apache.httpcomponents</groupId><artifactId>httpclient-win</artifactId><version>4.5.13</version></dependency>
<dependency><groupId>org.apache.httpcomponents.core5</groupId><artifactId>httpcore5</artifactId><version>5.1.1</version></dependency>
<dependency><groupId>org.apache.httpcomponents.core5</groupId><artifactId>httpcore5-testing</artifactId><version>5.1.1</version></dependency>
<dependency><groupId>io.reactivex.rxjava2</groupId><artifactId>rxjava</artifactId><version>2.2.8</version></dependency>
<dependency><groupId>org.apache.httpcomponents</groupId><artifactId>fluent-hc</artifactId><version>4.5.13</version></dependency>
<dependency><groupId>org.apache.httpcomponents.client5</groupId><artifactId>httpclient5-win</artifactId><version>5.1</version></dependency>
<dependency><groupId>org.apache.httpcomponents.client5</groupId><artifactId>httpclient5-testing</artifactId><version>5.1</version></dependency>
<dependency><groupId>org.apache.httpcomponents.client5</groupId><artifactId>httpclient5-fluent</artifactId><version>5.1</version></dependency>
<dependency><groupId>org.apache.httpcomponents.client5</groupId><artifactId>httpclient5-cache</artifactId><version>5.1</version></dependency>
<dependency><groupId>org.apache.httpcomponents.client5</groupId><artifactId>httpclient5</artifactId><version>5.1</version></dependency>
<dependency><groupId>org.apache.commons</groupId><artifactId>commons-compress</artifactId><version>1.20</version></dependency>
<dependency><groupId>org.apache.httpcomponents</groupId><artifactId>httpclient-osgi</artifactId><version>4.5.13</version></dependency>
<dependency><groupId>commons-io</groupId><artifactId>commons-io</artifactId><version>2.8.0</version></dependency>
<dependency><groupId>org.apache.httpcomponents.core5</groupId><artifactId>httpcore5-h2</artifactId><version>5.1.1</version></dependency>
<dependency><groupId>org.apache.commons</groupId><artifactId>commons-digester3</artifactId><version>3.2</version></dependency>
<dependency><groupId>commons-logging</groupId><artifactId>commons-logging</artifactId><version>1.2</version></dependency>
<dependency><groupId>org.apache.commons</groupId><artifactId>commons-math3</artifactId><version>3.6.1</version></dependency>
<dependency><groupId>org.reactivestreams</groupId><artifactId>reactive-streams</artifactId><version>1.0.3</version></dependency>
<dependency><groupId>org.apache.httpcomponents.core5</groupId><artifactId>httpcore5-reactive</artifactId><version>5.1.1</version></dependency>
<dependency><groupId>commons-cli</groupId><artifactId>commons-cli</artifactId><version>1.4</version></dependency>
<dependency><groupId>commons-discovery</groupId><artifactId>commons-discovery</artifactId><version>0.5</version></dependency>
<dependency><groupId>commons-jxpath</groupId><artifactId>commons-jxpath</artifactId><version>1.3</version></dependency>
<dependency><groupId>commons-validator</groupId><artifactId>commons-validator</artifactId><version>1.7</version></dependency>
<dependency><groupId>org.apache.commons</groupId><artifactId>commons-text</artifactId><version>1.9</version></dependency>
<dependency><groupId>dom4j</groupId><artifactId>dom4j</artifactId><version>1.6.1</version></dependency>
<dependency><groupId>org.apache.commons</groupId><artifactId>commons-lang3</artifactId><version>3.12.0</version></dependency>
<dependency><groupId>org.dom4j</groupId><artifactId>dom4j</artifactId><version>2.1.3</version></dependency>
<dependency><groupId>commons-collections</groupId><artifactId>commons-collections</artifactId><version>3.2.2</version></dependency>
<dependency><groupId>com.opencsv</groupId><artifactId>opencsv</artifactId><version>5.4</version></dependency>
<dependency><groupId>org.apache.commons</groupId><artifactId>commons-csv</artifactId><version>1.8</version></dependency>
<dependency><groupId>org.apache.commons</groupId><artifactId>commons-pool2</artifactId><version>2.9.0</version></dependency>
<dependency><groupId>commons-net</groupId><artifactId>commons-net</artifactId><version>3.8.0</version></dependency>
<dependency><groupId>commons-pool</groupId><artifactId>commons-pool</artifactId><version>1.6</version></dependency>
<dependency><groupId>com.google.code.findbugs</groupId><artifactId>jsr305</artifactId><version>3.0.2</version></dependency>
<dependency><groupId>commons-math</groupId><artifactId>commons-math</artifactId><version>1.2</version></dependency>
<dependency><groupId>commons-digester</groupId><artifactId>commons-digester</artifactId><version>2.1</version></dependency>
<dependency><groupId>com.google.guava</groupId><artifactId>listenablefuture</artifactId><version>9999.0-empty-to-avoid-conflict-with-guava</version></dependency>
<dependency><groupId>commons-lang</groupId><artifactId>commons-lang</artifactId><version>2.6</version></dependency>
<dependency><groupId>commons-httpclient</groupId><artifactId>commons-httpclient</artifactId><version>3.1</version></dependency>
<dependency><groupId>com.google.j2objc</groupId><artifactId>j2objc-annotations</artifactId><version>1.3</version></dependency>
<dependency><groupId>com.google.errorprone</groupId><artifactId>error_prone_annotations</artifactId><version>2.5.1</version></dependency>
<dependency><groupId>org.checkerframework</groupId><artifactId>checker-qual</artifactId><version>3.8.0</version></dependency>
<dependency><groupId>com.google.guava</groupId><artifactId>failureaccess</artifactId><version>1.0.1</version></dependency>
<dependency><groupId>com.google.guava</groupId><artifactId>guava</artifactId><version>30.1.1-jre</version></dependency>
<dependency><groupId>velocity</groupId><artifactId>velocity</artifactId><version>1.5</version></dependency>
<dependency><groupId>org.hibernate</groupId><artifactId>hibernate-core</artifactId><version>5.4.32.Final</version></dependency>
<dependency><groupId>xerces</groupId><artifactId>xercesImpl</artifactId><version>2.12.1</version></dependency>
<dependency><groupId>xml-apis</groupId><artifactId>xml-apis</artifactId><version>1.4.01</version></dependency>
<dependency><groupId>org.apache.logging.log4j</groupId><artifactId>log4j-bom</artifactId><version>2.14.1</version><type>pom</type></dependency>
<dependency><groupId>log4j</groupId><artifactId>log4j</artifactId><version>1.2.17</version></dependency>
<dependency><groupId>javax.persistence</groupId><artifactId>javax.persistence-api</artifactId><version>2.2</version></dependency>
<dependency><groupId>net.bytebuddy</groupId><artifactId>byte-buddy</artifactId><version>1.10.22</version></dependency>
<dependency><groupId>antlr</groupId><artifactId>antlr</artifactId><version>2.7.7</version></dependency>
<dependency><groupId>org.jboss.spec.javax.transaction</groupId><artifactId>jboss-transaction-api_1.2_spec</artifactId><version>1.1.1.Final</version></dependency>
<dependency><groupId>org.jboss</groupId><artifactId>jandex</artifactId><version>2.2.3.Final</version></dependency>
<dependency><groupId>com.fasterxml</groupId><artifactId>classmate</artifactId><version>1.5.1</version></dependency>
<dependency><groupId>org.hibernate.common</groupId><artifactId>hibernate-commons-annotations</artifactId><version>5.1.2.Final</version></dependency>
<dependency><groupId>org.glassfish.jaxb</groupId><artifactId>jaxb-runtime</artifactId><version>2.3.1</version></dependency>
<dependency><groupId>org.glassfish.jaxb</groupId><artifactId>txw2</artifactId><version>2.3.1</version></dependency>
<dependency><groupId>com.sun.istack</groupId><artifactId>istack-commons-runtime</artifactId><version>3.0.7</version></dependency>
<dependency><groupId>org.hibernate</groupId><artifactId>hibernate-entitymanager</artifactId><version>5.4.32.Final</version></dependency>
<dependency><groupId>org.jboss.logging</groupId><artifactId>jboss-logging</artifactId><version>3.4.1.Final</version></dependency>
<dependency><groupId>org.hibernate.validator</groupId><artifactId>hibernate-validator</artifactId><version>6.1.7.Final</version></dependency>
<dependency><groupId>org.hibernate</groupId><artifactId>hibernate-envers</artifactId><version>5.4.32.Final</version></dependency>
<dependency><groupId>javax.activation</groupId><artifactId>javax.activation-api</artifactId><version>1.2.0</version></dependency>
<dependency><groupId>jakarta.validation</groupId><artifactId>jakarta.validation-api</artifactId><version>2.0.2</version></dependency>
<dependency><groupId>net.sf.ehcache</groupId><artifactId>ehcache-core</artifactId><version>2.6.11</version></dependency>
<dependency><groupId>org.javassist</groupId><artifactId>javassist</artifactId><version>3.28.0-GA</version></dependency>
<dependency><groupId>cglib</groupId><artifactId>cglib</artifactId><version>3.3.0</version></dependency>
<dependency><groupId>org.ow2.asm</groupId><artifactId>asm</artifactId><version>7.1</version></dependency>
<dependency><groupId>net.sf.ehcache</groupId><artifactId>ehcache</artifactId><version>2.10.6</version></dependency>
<dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-bom</artifactId><version>5.5.0</version><type>pom</type></dependency>
<dependency><groupId>org.hibernate</groupId><artifactId>hibernate-ehcache</artifactId><version>5.4.32.Final</version></dependency>
<dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-acl</artifactId><version>5.5.0</version></dependency>
<dependency><groupId>org.springframework</groupId><artifactId>spring-framework-bom</artifactId><version>5.3.7</version><type>pom</type></dependency>
<dependency><groupId>cglib</groupId><artifactId>cglib-nodep</artifactId><version>3.3.0</version></dependency>
<dependency><groupId>org.springframework</groupId><artifactId>spring-aop</artifactId><version>5.3.7</version></dependency>
<dependency><groupId>org.springframework</groupId><artifactId>spring-context</artifactId><version>5.3.7</version></dependency>
<dependency><groupId>org.springframework</groupId><artifactId>spring-core</artifactId><version>5.3.7</version></dependency>
<dependency><groupId>org.springframework</groupId><artifactId>spring-jcl</artifactId><version>5.3.7</version></dependency>
<dependency><groupId>org.springframework</groupId><artifactId>spring-jdbc</artifactId><version>5.3.7</version></dependency>
<dependency><groupId>org.springframework</groupId><artifactId>spring-tx</artifactId><version>5.3.7</version></dependency>
<dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-config</artifactId><version>5.5.0</version></dependency>
<dependency><groupId>org.springframework</groupId><artifactId>spring-beans</artifactId><version>5.3.7</version></dependency>
<dependency><groupId>org.jetbrains.kotlin</groupId><artifactId>kotlin-stdlib-jdk8</artifactId><version>1.5.0</version></dependency>
<dependency><groupId>org.jetbrains</groupId><artifactId>annotations</artifactId><version>13.0</version></dependency>
<dependency><groupId>org.jetbrains.kotlin</groupId><artifactId>kotlin-stdlib-common</artifactId><version>1.5.0</version></dependency>
<dependency><groupId>org.jetbrains.kotlin</groupId><artifactId>kotlin-stdlib</artifactId><version>1.5.0</version></dependency>
<dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-crypto</artifactId><version>5.5.0</version></dependency>
<dependency><groupId>org.springframework</groupId><artifactId>spring-expression</artifactId><version>5.3.7</version></dependency>
<dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-core</artifactId><version>5.5.0</version></dependency>
<dependency><groupId>org.jetbrains.kotlin</groupId><artifactId>kotlin-stdlib-jdk7</artifactId><version>1.5.0</version></dependency>
<dependency><groupId>org.springframework</groupId><artifactId>spring-web</artifactId><version>5.3.7</version></dependency>
<dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-taglibs</artifactId><version>5.5.0</version></dependency>
<dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-remoting</artifactId><version>5.5.0</version></dependency>
<dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-dependencies</artifactId><version>2.5.0</version><type>pom</type></dependency>
<dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-web</artifactId><version>5.5.0</version></dependency>
<dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-test</artifactId><version>5.5.0</version></dependency>
<dependency><groupId>org.webjars</groupId><artifactId>webjars-locator-core</artifactId><version>0.44</version></dependency>
<dependency><groupId>org.webjars</groupId><artifactId>webjars-locator</artifactId><version>0.40</version></dependency>
<dependency><groupId>org.keycloak</groupId><artifactId>keycloak-common</artifactId><version>4.0.0.Final</version></dependency>
<dependency><groupId>org.keycloak</groupId><artifactId>keycloak-core</artifactId><version>4.0.0.Final</version></dependency>
<dependency><groupId>org.keycloak</groupId><artifactId>keycloak-admin-client</artifactId><version>4.0.0.Final</version></dependency>
<dependency><groupId>org.keycloak.bom</groupId><artifactId>keycloak-adapter-bom</artifactId><version>4.0.0.Final</version><type>pom</type></dependency>
<dependency><groupId>org.springframework.webflow</groupId><artifactId>spring-binding</artifactId><version>2.5.1.RELEASE</version></dependency>
<dependency><groupId>org.springframework.plugin</groupId><artifactId>spring-plugin-core</artifactId><version>2.0.0.RELEASE</version></dependency>
<dependency><groupId>org.springframework.webflow</groupId><artifactId>spring-webflow</artifactId><version>2.5.1.RELEASE</version></dependency>
<dependency><groupId>org.springframework.hateoas</groupId><artifactId>spring-hateoas</artifactId><version>1.3.1</version></dependency>
<dependency><groupId>org.springframework</groupId><artifactId>spring-webmvc</artifactId><version>5.0.9.RELEASE</version></dependency>
<dependency><groupId>org.springframework.ldap</groupId><artifactId>spring-ldap-core</artifactId><version>2.3.4.RELEASE</version></dependency>
<dependency><groupId>ognl</groupId><artifactId>ognl</artifactId><version>3.2.21</version></dependency>
<dependency><groupId>org.springframework.batch</groupId><artifactId>spring-batch-infrastructure</artifactId><version>2.0.4.RELEASE</version></dependency>
<dependency><groupId>org.springframework.ldap</groupId><artifactId>spring-ldap-ldif-batch</artifactId><version>2.3.4.RELEASE</version></dependency>
<dependency><groupId>org.springframework.ldap</groupId><artifactId>spring-ldap-ldif-core</artifactId><version>2.3.4.RELEASE</version></dependency>
<dependency><groupId>org.springframework.ldap</groupId><artifactId>spring-ldap-odm</artifactId><version>2.3.4.RELEASE</version></dependency>
<dependency><groupId>org.freemarker</groupId><artifactId>freemarker</artifactId><version>2.3.20</version></dependency>
<dependency><groupId>org.springframework.ws</groupId><artifactId>spring-ws-security</artifactId><version>3.1.1</version></dependency>
<dependency><groupId>org.springframework.ldap</groupId><artifactId>spring-ldap-core-tiger</artifactId><version>2.3.4.RELEASE</version></dependency>
<dependency><groupId>org.apache.wss4j</groupId><artifactId>wss4j-ws-security-dom</artifactId><version>2.3.0</version></dependency>
<dependency><groupId>org.apache.wss4j</groupId><artifactId>wss4j-ws-security-common</artifactId><version>2.3.0</version></dependency>
<dependency><groupId>org.opensaml</groupId><artifactId>opensaml-saml-impl</artifactId><version>3.4.5</version></dependency>
<dependency><groupId>org.opensaml</groupId><artifactId>opensaml-profile-api</artifactId><version>3.4.5</version></dependency>
<dependency><groupId>org.opensaml</groupId><artifactId>opensaml-core</artifactId><version>3.4.5</version></dependency>
<dependency><groupId>io.dropwizard.metrics</groupId><artifactId>metrics-core</artifactId><version>3.1.2</version></dependency>
<dependency><groupId>org.opensaml</groupId><artifactId>opensaml-saml-api</artifactId><version>3.4.5</version></dependency>
<dependency><groupId>org.opensaml</groupId><artifactId>opensaml-soap-api</artifactId><version>3.4.5</version></dependency>
<dependency><groupId>org.opensaml</groupId><artifactId>opensaml-security-impl</artifactId><version>3.4.5</version></dependency>
<dependency><groupId>org.opensaml</groupId><artifactId>opensaml-security-api</artifactId><version>3.4.5</version></dependency>
<dependency><groupId>net.shibboleth.utilities</groupId><artifactId>java-support</artifactId><version>7.5.1</version></dependency>
<dependency><groupId>org.opensaml</groupId><artifactId>opensaml-xacml-impl</artifactId><version>3.4.5</version></dependency>
<dependency><groupId>org.opensaml</groupId><artifactId>opensaml-xacml-api</artifactId><version>3.4.5</version></dependency>
<dependency><groupId>org.opensaml</groupId><artifactId>opensaml-xacml-saml-api</artifactId><version>3.4.5</version></dependency>
<dependency><groupId>org.jasypt</groupId><artifactId>jasypt</artifactId><version>1.9.3</version></dependency>
<dependency><groupId>org.opensaml</groupId><artifactId>opensaml-xmlsec-api</artifactId><version>3.4.5</version></dependency>
<dependency><groupId>org.opensaml</groupId><artifactId>opensaml-xacml-saml-impl</artifactId><version>3.4.5</version></dependency>
<dependency><groupId>org.apache.geronimo.javamail</groupId><artifactId>geronimo-javamail_1.4_mail</artifactId><version>1.8.4</version></dependency>
<dependency><groupId>org.jvnet.staxex</groupId><artifactId>stax-ex</artifactId><version>1.7.8</version></dependency>
<dependency><groupId>org.opensaml</groupId><artifactId>opensaml-xmlsec-impl</artifactId><version>3.4.5</version></dependency>
<dependency><groupId>org.springframework.ws</groupId><artifactId>spring-ws-support</artifactId><version>3.1.1</version></dependency>
<dependency><groupId>org.ehcache</groupId><artifactId>ehcache</artifactId><version>3.8.1</version></dependency>
<dependency><groupId>org.springframework</groupId><artifactId>spring-jms</artifactId><version>5.3.7</version></dependency>
<dependency><groupId>org.springframework</groupId><artifactId>spring-messaging</artifactId><version>5.3.7</version></dependency>
<dependency><groupId>com.sun.mail</groupId><artifactId>javax.mail</artifactId><version>1.6.0</version></dependency>
<dependency><groupId>org.springframework</groupId><artifactId>spring-oxm</artifactId><version>5.3.7</version></dependency>
<dependency><groupId>org.springframework.ws</groupId><artifactId>spring-xml</artifactId><version>3.1.1</version></dependency>
<dependency><groupId>org.apache.santuario</groupId><artifactId>xmlsec</artifactId><version>1.5.8</version></dependency>
<dependency><groupId>org.apache.ws.security</groupId><artifactId>wss4j</artifactId><version>1.6.19</version></dependency>
<dependency><groupId>org.springframework.ws</groupId><artifactId>spring-ws-core</artifactId><version>3.1.1</version></dependency>
<dependency><groupId>org.opensaml</groupId><artifactId>openws</artifactId><version>1.4.2-1</version></dependency>
<dependency><groupId>org.opensaml</groupId><artifactId>xmltooling</artifactId><version>1.3.2-1</version></dependency>
<dependency><groupId>org.opensaml</groupId><artifactId>opensaml</artifactId><version>2.5.1-1</version></dependency>
<dependency><groupId>org.springframework.retry</groupId><artifactId>spring-retry</artifactId><version>1.3.1</version></dependency>
<dependency><groupId>org.apache.poi</groupId><artifactId>poi-excelant</artifactId><version>5.0.0</version></dependency>
<dependency><groupId>org.apache.poi</groupId><artifactId>poi-examples</artifactId><version>5.0.0</version></dependency>
<dependency><groupId>org.apache.ant</groupId><artifactId>ant-launcher</artifactId><version>1.10.9</version></dependency>
<dependency><groupId>org.apache.ant</groupId><artifactId>ant</artifactId><version>1.10.9</version></dependency>
<dependency><groupId>org.apache.poi</groupId><artifactId>poi-ooxml-full</artifactId><version>5.0.0</version></dependency>
<!-- We are skipping: ..\lib\tools.jar -->
<dependency><groupId>org.apache.poi</groupId><artifactId>poi-ooxml-lite</artifactId><version>5.0.0</version></dependency>
<dependency><groupId>org.apache.poi</groupId><artifactId>poi-ooxml</artifactId><version>5.0.0</version></dependency>
<dependency><groupId>org.apache.xmlbeans</groupId><artifactId>xmlbeans</artifactId><version>4.0.0</version></dependency>
<dependency><groupId>com.github.virtuald</groupId><artifactId>curvesapi</artifactId><version>1.06</version></dependency>
<dependency><groupId>org.apache.xmlgraphics</groupId><artifactId>batik-all</artifactId><version>1.13</version></dependency>
<dependency><groupId>org.apache.xmlgraphics</groupId><artifactId>batik-codec</artifactId><version>1.13</version></dependency>
<dependency><groupId>org.apache.xmlgraphics</groupId><artifactId>batik-constants</artifactId><version>1.13</version></dependency>
<dependency><groupId>org.apache.xmlgraphics</groupId><artifactId>batik-ext</artifactId><version>1.13</version></dependency>
<dependency><groupId>org.apache.xmlgraphics</groupId><artifactId>batik-extension</artifactId><version>1.13</version></dependency>
<dependency><groupId>org.apache.xmlgraphics</groupId><artifactId>batik-gui-util</artifactId><version>1.13</version></dependency>
<dependency><groupId>org.apache.xmlgraphics</groupId><artifactId>batik-script</artifactId><version>1.13</version></dependency>
<dependency><groupId>org.apache.xmlgraphics</groupId><artifactId>batik-rasterizer</artifactId><version>1.13</version></dependency>
<dependency><groupId>org.apache.xmlgraphics</groupId><artifactId>batik-rasterizer-ext</artifactId><version>1.13</version></dependency>
<dependency><groupId>org.apache.xmlgraphics</groupId><artifactId>batik-parser</artifactId><version>1.13</version></dependency>
<dependency><groupId>org.apache.xmlgraphics</groupId><artifactId>batik-i18n</artifactId><version>1.13</version></dependency>
<dependency><groupId>org.apache.xmlgraphics</groupId><artifactId>batik-svgpp</artifactId><version>1.13</version></dependency>
<dependency><groupId>org.apache.xmlgraphics</groupId><artifactId>batik-svgrasterizer</artifactId><version>1.13</version></dependency>
<dependency><groupId>org.apache.xmlgraphics</groupId><artifactId>batik-squiggle</artifactId><version>1.13</version></dependency>
<dependency><groupId>org.apache.xmlgraphics</groupId><artifactId>batik-squiggle-ext</artifactId><version>1.13</version></dependency>
<dependency><groupId>org.apache.xmlgraphics</groupId><artifactId>batik-slideshow</artifactId><version>1.13</version></dependency>
<dependency><groupId>org.apache.xmlgraphics</groupId><artifactId>batik-swing</artifactId><version>1.13</version></dependency>
<dependency><groupId>org.apache.xmlgraphics</groupId><artifactId>batik-svgbrowser</artifactId><version>1.13</version></dependency>
<dependency><groupId>org.apache.xmlgraphics</groupId><artifactId>batik-svg-dom</artifactId><version>1.13</version></dependency>
<dependency><groupId>org.apache.poi</groupId><artifactId>poi-scratchpad</artifactId><version>5.0.0</version></dependency>
<dependency><groupId>de.rototor.pdfbox</groupId><artifactId>graphics2d</artifactId><version>0.30</version></dependency>
<dependency><groupId>org.apache.xmlgraphics</groupId><artifactId>batik-ttf2svg</artifactId><version>1.13</version></dependency>
<dependency><groupId>com.mchange</groupId><artifactId>c3p0</artifactId><version>0.9.5.4</version></dependency>
<dependency><groupId>org.quartz-scheduler</groupId><artifactId>quartz</artifactId><version>2.3.2</version></dependency>
<dependency><groupId>com.zaxxer</groupId><artifactId>SparseBitSet</artifactId><version>1.2</version></dependency>
<dependency><groupId>org.apache.poi</groupId><artifactId>poi</artifactId><version>5.0.0</version></dependency>
<dependency><groupId>org.quartz-scheduler</groupId><artifactId>quartz-jobs</artifactId><version>2.3.2</version></dependency>
<dependency><groupId>com.zaxxer</groupId><artifactId>HikariCP-java7</artifactId><version>2.4.13</version></dependency>
<dependency><groupId>org.apache.velocity</groupId><artifactId>velocity</artifactId><version>1.7</version></dependency>
<dependency><groupId>com.mchange</groupId><artifactId>mchange-commons-java</artifactId><version>0.2.15</version></dependency>
<dependency><groupId>oro</groupId><artifactId>oro</artifactId><version>2.0.8</version></dependency>
<dependency><groupId>displaytag</groupId><artifactId>displaytag</artifactId><version>1.2</version></dependency>
<dependency><groupId>jakarta.taglibs</groupId><artifactId>unstandard</artifactId><version>20060829</version></dependency>
<dependency><groupId>opensymphony</groupId><artifactId>sitemesh</artifactId><version>2.4.2</version></dependency>
<dependency><groupId>org.slf4j</groupId><artifactId>slf4j-nop</artifactId><version>1.7.30</version></dependency>
<dependency><groupId>org.slf4j</groupId><artifactId>log4j-over-slf4j</artifactId><version>1.7.30</version></dependency>
<dependency><groupId>org.slf4j</groupId><artifactId>slf4j-jcl</artifactId><version>1.7.30</version></dependency>
<dependency><groupId>org.slf4j</groupId><artifactId>slf4j-log4j12</artifactId><version>1.7.30</version></dependency>
<dependency><groupId>org.slf4j</groupId><artifactId>slf4j-api</artifactId><version>1.7.30</version></dependency>
<dependency><groupId>org.aspectj</groupId><artifactId>aspectjweaver</artifactId><version>1.9.6</version></dependency>
<dependency><groupId>org.aspectj</groupId><artifactId>aspectjrt</artifactId><version>1.9.6</version></dependency>
<dependency><groupId>org.slf4j</groupId><artifactId>jul-to-slf4j</artifactId><version>1.7.30</version></dependency>
<dependency><groupId>org.apache.felix</groupId><artifactId>org.apache.felix.framework</artifactId><version>5.6.1</version></dependency>
<dependency><groupId>org.apache.felix</groupId><artifactId>org.apache.felix.main</artifactId><version>5.6.1</version></dependency>
<dependency><groupId>org.slf4j</groupId><artifactId>slf4j-simple</artifactId><version>1.7.30</version></dependency>
<dependency><groupId>ant</groupId><artifactId>ant-junit</artifactId><version>1.6.5</version></dependency>
<dependency><groupId>org.slf4j</groupId><artifactId>integration</artifactId><version>1.7.30</version></dependency>
<dependency><groupId>org.slf4j</groupId><artifactId>osgi-over-slf4j</artifactId><version>1.7.30</version></dependency>
<dependency><groupId>org.slf4j</groupId><artifactId>jcl-over-slf4j</artifactId><version>1.7.30</version></dependency>
<dependency><groupId>com.fasterxml.jackson.core</groupId><artifactId>jackson-annotations</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>com.fasterxml.jackson.core</groupId><artifactId>jackson-core</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>org.slf4j</groupId><artifactId>slf4j-migrator</artifactId><version>1.7.30</version></dependency>
<dependency><groupId>org.slf4j</groupId><artifactId>slf4j-jdk14</artifactId><version>1.7.30</version></dependency>
<dependency><groupId>org.slf4j</groupId><artifactId>slf4j-ext</artifactId><version>1.7.30</version></dependency>
<dependency><groupId>org.eclipse.collections</groupId><artifactId>eclipse-collections-api</artifactId><version>9.1.0</version></dependency>
<dependency><groupId>org.eclipse.collections</groupId><artifactId>eclipse-collections</artifactId><version>9.1.0</version></dependency>
<dependency><groupId>com.fasterxml.jackson.datatype</groupId><artifactId>jackson-datatype-eclipse-collections</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>com.fasterxml.jackson.dataformat</groupId><artifactId>jackson-dataformat-smile</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>com.carrotsearch</groupId><artifactId>hppc</artifactId><version>0.8.1</version></dependency>
<dependency><groupId>com.fasterxml.jackson.datatype</groupId><artifactId>jackson-datatype-jaxrs</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>com.fasterxml.jackson.datatype</groupId><artifactId>jackson-datatype-jdk8</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>com.fasterxml.jackson.core</groupId><artifactId>jackson-databind</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>com.fasterxml.jackson.datatype</groupId><artifactId>jackson-datatype-json-org</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>org.json</groupId><artifactId>json</artifactId><version>20190722</version></dependency>
<dependency><groupId>com.fasterxml.jackson.datatype</groupId><artifactId>jackson-datatype-jsr310</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>com.fasterxml.jackson.datatype</groupId><artifactId>jackson-datatype-jsr353</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>com.fasterxml.jackson.datatype</groupId><artifactId>jackson-datatype-joda</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>com.fasterxml.jackson.datatype</groupId><artifactId>jackson-datatype-pcollections</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>org.pcollections</groupId><artifactId>pcollections</artifactId><version>2.1.2</version></dependency>
<dependency><groupId>com.fasterxml.jackson.jaxrs</groupId><artifactId>jackson-jaxrs-base</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>com.fasterxml.jackson.jaxrs</groupId><artifactId>jackson-jaxrs-cbor-provider</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>com.fasterxml.jackson.dataformat</groupId><artifactId>jackson-dataformat-cbor</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>com.fasterxml.jackson.datatype</groupId><artifactId>jackson-datatype-hppc</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>com.fasterxml.jackson.datatype</groupId><artifactId>jackson-datatype-hibernate5</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>com.fasterxml.jackson.datatype</groupId><artifactId>jackson-datatype-hibernate4</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>com.fasterxml.jackson.datatype</groupId><artifactId>jackson-datatype-hibernate3</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>com.fasterxml.jackson.datatype</groupId><artifactId>jackson-datatype-guava</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>com.fasterxml.jackson.dataformat</groupId><artifactId>jackson-dataformat-xml</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>com.fasterxml.jackson.jaxrs</groupId><artifactId>jackson-jaxrs-xml-provider</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>com.fasterxml.jackson.jaxrs</groupId><artifactId>jackson-jaxrs-smile-provider</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>com.fasterxml.jackson.jaxrs</groupId><artifactId>jackson-jaxrs-yaml-provider</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>com.fasterxml.jackson.jaxrs</groupId><artifactId>jackson-jaxrs-json-provider</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>javax.json</groupId><artifactId>javax.json-api</artifactId><version>1.1.4</version></dependency>
<dependency><groupId>com.fasterxml.jackson.module</groupId><artifactId>jackson-module-jaxb-annotations</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>com.fasterxml.jackson.module</groupId><artifactId>jackson-module-osgi</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>org.osgi</groupId><artifactId>org.osgi.core</artifactId><version>5.0.0</version></dependency>
<dependency><groupId>com.fasterxml.jackson.module</groupId><artifactId>jackson-module-kotlin</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>org.jetbrains.kotlin</groupId><artifactId>kotlin-reflect</artifactId><version>1.4.21</version></dependency>
<dependency><groupId>org.yaml</groupId><artifactId>snakeyaml</artifactId><version>1.27</version></dependency>
<dependency><groupId>com.fasterxml.jackson.dataformat</groupId><artifactId>jackson-dataformat-yaml</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>com.fasterxml.woodstox</groupId><artifactId>woodstox-core</artifactId><version>6.2.4</version></dependency>
<dependency><groupId>org.codehaus.woodstox</groupId><artifactId>stax2-api</artifactId><version>4.2</version></dependency>
<dependency><groupId>com.fasterxml.jackson.module</groupId><artifactId>jackson-module-paranamer</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>com.fasterxml.jackson.module</groupId><artifactId>jackson-module-mrbean</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>com.fasterxml.jackson.module</groupId><artifactId>jackson-module-jsonSchema</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>javax.validation</groupId><artifactId>validation-api</artifactId><version>1.1.0.Final</version></dependency>
<dependency><groupId>com.fasterxml.jackson.module</groupId><artifactId>jackson-module-parameter-names</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>jakarta.activation</groupId><artifactId>jakarta.activation-api</artifactId><version>1.2.1</version></dependency>
<dependency><groupId>com.fasterxml.jackson.module</groupId><artifactId>jackson-module-afterburner</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>aopalliance</groupId><artifactId>aopalliance</artifactId><version>1.0</version></dependency>
<dependency><groupId>com.google.inject</groupId><artifactId>guice</artifactId><version>5.0.0-BETA-1</version></dependency>
<dependency><groupId>com.fasterxml.jackson.module</groupId><artifactId>jackson-module-guice</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>org.bouncycastle</groupId><artifactId>bcmail-jdk15on</artifactId><version>1.68</version></dependency>
<dependency><groupId>com.thoughtworks.paranamer</groupId><artifactId>paranamer</artifactId><version>2.8</version></dependency>
<dependency><groupId>org.bouncycastle</groupId><artifactId>bcmail-jdk15to18</artifactId><version>1.68</version></dependency>
<dependency><groupId>org.bouncycastle</groupId><artifactId>bcmail-jdk14</artifactId><version>1.68</version></dependency>
<dependency><groupId>org.bouncycastle</groupId><artifactId>bcpg-jdk15to18</artifactId><version>1.68</version></dependency>
<dependency><groupId>net.minidev</groupId><artifactId>accessors-smart</artifactId><version>2.4.7</version></dependency>
<dependency><groupId>net.minidev</groupId><artifactId>json-smart</artifactId><version>2.4.7</version></dependency>
<dependency><groupId>com.fasterxml.uuid</groupId><artifactId>java-uuid-generator</artifactId><version>4.0.1</version></dependency>
<dependency><groupId>org.scala-lang</groupId><artifactId>scala-library</artifactId><version>2.11.12</version></dependency>
<dependency><groupId>com.fasterxml.jackson.module</groupId><artifactId>jackson-module-scala_2.11</artifactId><version>2.12.3</version></dependency>
<dependency><groupId>org.bouncycastle</groupId><artifactId>bcpkix-jdk14</artifactId><version>1.68</version></dependency>
<dependency><groupId>org.bouncycastle</groupId><artifactId>bcpkix-jdk15to18</artifactId><version>1.68</version></dependency>
<dependency><groupId>org.bouncycastle</groupId><artifactId>bcprov-debug-jdk15on</artifactId><version>1.68</version></dependency>
<dependency><groupId>org.bouncycastle</groupId><artifactId>bcpg-jdk15on</artifactId><version>1.68</version></dependency>
<dependency><groupId>org.bouncycastle</groupId><artifactId>bcpg-jdk14</artifactId><version>1.68</version></dependency>
<dependency><groupId>org.bouncycastle</groupId><artifactId>bcprov-ext-jdk15to18</artifactId><version>1.68</version></dependency>
<dependency><groupId>org.bouncycastle</groupId><artifactId>bcprov-ext-jdk14</artifactId><version>1.68</version></dependency>
<dependency><groupId>org.bouncycastle</groupId><artifactId>bctls-jdk15on</artifactId><version>1.68</version></dependency>
<dependency><groupId>org.bouncycastle</groupId><artifactId>bcpkix-jdk15on</artifactId><version>1.68</version></dependency>
<dependency><groupId>org.bouncycastle</groupId><artifactId>bcmail-jdk15</artifactId><version>1.46</version></dependency>
<dependency><groupId>org.bouncycastle</groupId><artifactId>bcmail-jdk16</artifactId><version>1.46</version></dependency>
<dependency><groupId>org.bouncycastle</groupId><artifactId>bctls-jdk15to18</artifactId><version>1.68</version></dependency>
<dependency><groupId>org.bouncycastle</groupId><artifactId>bctls-jdk14</artifactId><version>1.68</version></dependency>
<dependency><groupId>org.bouncycastle</groupId><artifactId>bcprov-jdk15to18</artifactId><version>1.68</version></dependency>
<dependency><groupId>org.bouncycastle</groupId><artifactId>bcprov-jdk15on</artifactId><version>1.68</version></dependency>
<dependency><groupId>org.bouncycastle</groupId><artifactId>bcprov-jdk14</artifactId><version>1.68</version></dependency>
<dependency><groupId>org.bouncycastle</groupId><artifactId>bctsp-jdk14</artifactId><version>1.46</version></dependency>
<dependency><groupId>org.bouncycastle</groupId><artifactId>bcprov-jdk16</artifactId><version>1.46</version></dependency>
<dependency><groupId>org.bouncycastle</groupId><artifactId>bcprov-jdk15</artifactId><version>1.46</version></dependency>
<dependency><groupId>org.bouncycastle</groupId><artifactId>bcpg-jdk15</artifactId><version>1.46</version></dependency>
<dependency><groupId>com.lowagie</groupId><artifactId>itext-rtf</artifactId><version>2.1.7</version></dependency>
<dependency><groupId>org.apache.pdfbox</groupId><artifactId>debugger-app</artifactId><version>2.0.8</version></dependency>
<dependency><groupId>com.lowagie</groupId><artifactId>itext</artifactId><version>2.1.7</version></dependency>
<dependency><groupId>org.apache.pdfbox</groupId><artifactId>fontbox</artifactId><version>2.0.8</version></dependency>
<dependency><groupId>org.apache.pdfbox</groupId><artifactId>pdfbox-app</artifactId><version>2.0.8</version></dependency>
<dependency><groupId>org.apache.pdfbox</groupId><artifactId>pdfbox-debugger</artifactId><version>2.0.8</version></dependency>
<dependency><groupId>com.lowagie</groupId><artifactId>itext-rups</artifactId><version>2.1.7</version></dependency>
<dependency><groupId>org.apache.lucene</groupId><artifactId>lucene-analyzers-common</artifactId><version>4.7.2</version></dependency>
<dependency><groupId>org.apache.pdfbox</groupId><artifactId>pdfbox</artifactId><version>2.0.8</version></dependency>
<dependency><groupId>org.apache.pdfbox</groupId><artifactId>preflight-app</artifactId><version>2.0.8</version></dependency>
<dependency><groupId>org.apache.pdfbox</groupId><artifactId>pdfbox-tools</artifactId><version>2.0.8</version></dependency>
<dependency><groupId>org.apache.lucene</groupId><artifactId>lucene-core</artifactId><version>4.7.2</version></dependency>
<dependency><groupId>org.apache.pdfbox</groupId><artifactId>pdfbox-examples</artifactId><version>2.0.8</version></dependency>
<dependency><groupId>struts</groupId><artifactId>struts</artifactId><version>1.2.9</version></dependency>
<dependency><groupId>wsdl4j</groupId><artifactId>wsdl4j</artifactId><version>1.6.3</version></dependency>
<dependency><groupId>org.codehaus.castor</groupId><artifactId>castor-parent</artifactId><version>1.4.1</version><type>pom</type></dependency>
<dependency><groupId>joda-time</groupId><artifactId>joda-time</artifactId><version>2.10.10</version></dependency>
<dependency><groupId>org.apache.pdfbox</groupId><artifactId>xmpbox</artifactId><version>2.0.8</version></dependency>
<dependency><groupId>org.apache.pdfbox</groupId><artifactId>preflight</artifactId><version>2.0.8</version></dependency>
<dependency><groupId>javax.inject</groupId><artifactId>javax.inject</artifactId><version>1</version></dependency>
<dependency><groupId>stax</groupId><artifactId>stax</artifactId><version>1.2.0</version></dependency>
<dependency><groupId>stax</groupId><artifactId>stax-api</artifactId><version>1.0.1</version></dependency>
<dependency><groupId>javax.xml.stream</groupId><artifactId>stax-api</artifactId><version>1.0-2</version></dependency>
<dependency><groupId>net.htmlparser.jericho</groupId><artifactId>jericho-html</artifactId><version>3.4</version></dependency>
<dependency><groupId>com.ibm.icu</groupId><artifactId>icu4j</artifactId><version>69.1</version></dependency>
<dependency><groupId>org.owasp.esapi</groupId><artifactId>esapi</artifactId><version>2.2.3.1</version></dependency>
<dependency><groupId>org.codehaus.castor</groupId><artifactId>castor-core</artifactId><version>1.3.3</version></dependency>
<dependency><groupId>com.io7m.xom</groupId><artifactId>xom</artifactId><version>1.2.10</version></dependency>
<dependency><groupId>org.owasp.antisamy</groupId><artifactId>antisamy</artifactId><version>1.6.3</version></dependency>
<dependency><groupId>org.codehaus.castor</groupId><artifactId>castor-xml</artifactId><version>1.3.3</version></dependency>
<dependency><groupId>xalan</groupId><artifactId>xalan</artifactId><version>2.5.1</version></dependency>
<dependency><groupId>net.sourceforge.nekohtml</groupId><artifactId>nekohtml</artifactId><version>1.9.22</version></dependency>
<dependency><groupId>org.apache-extras.beanshell</groupId><artifactId>bsh</artifactId><version>2.0b6</version></dependency>
<dependency><groupId>xml-apis</groupId><artifactId>xml-apis-ext</artifactId><version>1.3.04</version></dependency>
<dependency><groupId>io.springfox</groupId><artifactId>springfox-bean-validators</artifactId><version>3.0.0</version></dependency>
<dependency><groupId>io.springfox</groupId><artifactId>springfox-boot-starter</artifactId><version>3.0.0</version></dependency>
<dependency><groupId>org.apache.xmlgraphics</groupId><artifactId>xmlgraphics-commons</artifactId><version>2.6</version></dependency>
<dependency><groupId>org.apache.xmlgraphics</groupId><artifactId>batik-css</artifactId><version>1.14</version></dependency>
<dependency><groupId>io.springfox</groupId><artifactId>springfox-data-rest</artifactId><version>3.0.0</version></dependency>
<dependency><groupId>io.springfox</groupId><artifactId>springfox-oas</artifactId><version>3.0.0</version></dependency>
<dependency><groupId>io.springfox</groupId><artifactId>springfox-core</artifactId><version>3.0.0</version></dependency>
<dependency><groupId>org.springframework.plugin</groupId><artifactId>spring-plugin-metadata</artifactId><version>2.0.0.RELEASE</version></dependency>
<dependency><groupId>com.google.code.gson</groupId><artifactId>gson</artifactId><version>2.8.7</version></dependency>
<dependency><groupId>io.springfox</groupId><artifactId>springfox-schema</artifactId><version>3.0.0</version></dependency>
<dependency><groupId>org.mapstruct</groupId><artifactId>mapstruct</artifactId><version>1.3.1.Final</version></dependency>
<dependency><groupId>io.swagger.core.v3</groupId><artifactId>swagger-models</artifactId><version>2.1.2</version></dependency>
<dependency><groupId>io.swagger.core.v3</groupId><artifactId>swagger-annotations</artifactId><version>2.1.2</version></dependency>
<dependency><groupId>io.springfox</groupId><artifactId>springfox-spring-web</artifactId><version>3.0.0</version></dependency>
<dependency><groupId>io.springfox</groupId><artifactId>springfox-spring-integration-webmvc</artifactId><version>3.0.0</version></dependency>
<dependency><groupId>io.springfox</groupId><artifactId>springfox-spring-integration-webflux</artifactId><version>3.0.0</version></dependency>
<dependency><groupId>com.athaydes.rawhttp</groupId><artifactId>rawhttp-core</artifactId><version>2.2.1</version></dependency>
<dependency><groupId>io.springfox</groupId><artifactId>springfox-spring-integration</artifactId><version>3.0.0</version></dependency>
<dependency><groupId>io.springfox</groupId><artifactId>springfox-spi</artifactId><version>3.0.0</version></dependency>
<dependency><groupId>io.springfox</groupId><artifactId>springfox-swagger-ui</artifactId><version>3.0.0</version></dependency>
<dependency><groupId>io.swagger</groupId><artifactId>swagger-models</artifactId><version>1.5.20</version></dependency>
<dependency><groupId>io.swagger</groupId><artifactId>swagger-annotations</artifactId><version>1.5.20</version></dependency>
<dependency><groupId>io.springfox</groupId><artifactId>springfox-swagger-common</artifactId><version>3.0.0</version></dependency>
<dependency><groupId>io.springfox</groupId><artifactId>springfox-spring-webmvc</artifactId><version>3.0.0</version></dependency>
<dependency><groupId>io.springfox</groupId><artifactId>springfox-spring-webflux</artifactId><version>3.0.0</version></dependency>
<dependency><groupId>io.github.classgraph</groupId><artifactId>classgraph</artifactId><version>4.8.83</version></dependency>
<dependency><groupId>isorelax</groupId><artifactId>isorelax</artifactId><version>20030108</version></dependency>
<dependency><groupId>com.shapesecurity</groupId><artifactId>salvation</artifactId><version>2.7.2</version></dependency>
<dependency><groupId>nu.validator</groupId><artifactId>validator</artifactId><version>20.7.2</version></dependency>
<dependency><groupId>org.jsoup</groupId><artifactId>jsoup</artifactId><version>1.13.1</version></dependency>
<dependency><groupId>io.springfox</groupId><artifactId>springfox-swagger2</artifactId><version>3.0.0</version></dependency>
<dependency><groupId>io.springfox</groupId><artifactId>springfox-swagger1</artifactId><version>3.0.0</version></dependency>
<dependency><groupId>nu.validator</groupId><artifactId>htmlparser</artifactId><version>1.4.16</version></dependency>
<dependency><groupId>nu.validator</groupId><artifactId>galimatias</artifactId><version>0.1.3</version></dependency>
<dependency><groupId>nu.validator</groupId><artifactId>langdetect</artifactId><version>1.2</version></dependency>
<dependency><groupId>org.eclipse.jetty</groupId><artifactId>jetty-io</artifactId><version>9.4.18.v20190429</version></dependency>
<dependency><groupId>net.sf.saxon</groupId><artifactId>Saxon-HE</artifactId><version>9.6.0-4</version></dependency>
<dependency><groupId>javax.servlet</groupId><artifactId>javax.servlet-api</artifactId><version>3.1.0</version></dependency>
<dependency><groupId>org.eclipse.jetty</groupId><artifactId>jetty-server</artifactId><version>9.4.18.v20190429</version></dependency>
<dependency><groupId>org.eclipse.jetty</groupId><artifactId>jetty-security</artifactId><version>9.4.18.v20190429</version></dependency>
<dependency><groupId>org.eclipse.jetty</groupId><artifactId>jetty-http</artifactId><version>9.4.18.v20190429</version></dependency>
<dependency><groupId>nu.validator</groupId><artifactId>jing</artifactId><version>20200702VNU</version></dependency>
<dependency><groupId>nu.validator</groupId><artifactId>cssvalidator</artifactId><version>1.0.8</version></dependency>
<dependency><groupId>org.eclipse.jetty</groupId><artifactId>jetty-continuation</artifactId><version>9.4.18.v20190429</version></dependency>
<dependency><groupId>org.eclipse.jetty</groupId><artifactId>jetty-servlets</artifactId><version>9.4.18.v20190429</version></dependency>
<dependency><groupId>org.eclipse.jetty</groupId><artifactId>jetty-util</artifactId><version>9.4.18.v20190429</version></dependency>
RasmusOlesen
commented
3 years ago We are facing the same issue. Scanning just stuck on NVD CVE Analyser Phase after upgrade to 6.2.0
We are also scanning a bit more than a silly amount of dependencies. dependency-check version: 6.1.6 Dependencies Scanned: 10851 (9797 unique)
sellersj
commented
3 years ago I don't know if this is the reason, but I've noticed that the Connection and PreparedStatement are opened in a try-with-resources, but then the result set it often closed in a finally block.
From what I understand this means that the order the those objects get closed goes
"A try-with-resources statement can have catch and finally blocks just like an ordinary try statement. In a try-with-resources statement, any catch or finally block is run after the resources declared have been closed." https://docs.oracle.com/javase/tutorial/essential/exceptions/tryResourceClose.html
jeremylong
commented
3 years ago I have updated a couple of things with https://github.com/jeremylong/DependencyCheck/pull/3419 - However, I have not been able to re-produce the issue where we hang after the FP analyzer completes.
Server: MySQL 8.0.25 Driver: mysql-connector-java-8.0.21.jar Command:
$dependency-check.sh --disableCentral --disableOssIndex --connectionString "jdbc:mysql://localhost/dependencycheck?serverTimezone=UTC" -o . -l odc.log -s ~/.m2/repository/My local maven repository contains way more then the above listed silly amount of dependencies: Dependencies Scanned: 9846 (6753 unique). A trimmed version of the output was:
[INFO] Analysis Started
[INFO] Finished Archive Analyzer (45 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (18 seconds)
[INFO] Finished Assembly Analyzer (6 seconds)
[INFO] Finished Node.js Package Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (15 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (2 seconds)
[INFO] Finished CPE Analyzer (34 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (4 seconds)
[INFO] Finished RetireJS Analyzer (15 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (4 seconds)
[INFO] Finished Dependency Bundling Analyzer (26332 seconds)
[INFO] Analysis Complete (27066 seconds)So to me - the real issue is the dependency bundling analyzer. I have thoughts on how to resolve this as it is currently something like an O(N^2) operation (my big o notation/evaluation is a bit rusty) and I know we can split it up into chunks and parallelize the analysis. However, that is a different problem then this ticket - I digress...
@sellersj as you have been able to reproduce the issue - does it actually go away with the changes made in https://github.com/jeremylong/DependencyCheck/pull/3419? Note that there are DB schema changes (added a transaction around two operations - but this only affects updating, not the DB reads that appear to cause things to hang).
sellersj
commented
3 years ago I’ll get back to you with a reproducible project. Sorry, I should have made one right away.
My tests were using H2 Maven plugin Java 8 Maven 3.8.1 A clean database, update as a separate step before.
I did test it with the changes to the closing of ResultSet but it still didn't work for me. I have not checked if my last test has the transaction code.
If I change the DS pool to unlimited it would pass, and then if I removed that setting it would pass. Like a cached result? Not sure.
This feels like a threading race condition in the DS pool to me, but that’s a wild guess. I looked through the code and things seem clean and nothing jumped out at me.
Thanks for digging into this.
On Fri, Jun 4, 2021 at 8:22 AM Jeremy Long @.***> wrote:
I have updated a couple of things with #3419 https://github.com/jeremylong/DependencyCheck/pull/3419 - However, I have not been able to re-produce the issue where we hang after the FP analyzer completes.
Server: MySQL 8.0.25 Driver: mysql-connector-java-8.0.21.jar Command:
$dependency-check.sh --disableCentral --disableOssIndex --connectionString "jdbc:mysql://localhost/dependencycheck?serverTimezone=UTC" -o . -l odc.log -s ~/.m2/repository/
My local maven repository contains way more then the above listed silly amount of dependencies: Dependencies Scanned: 9846 (6753 unique). A trimmed version of the output was:
[INFO] Analysis Started [INFO] Finished Archive Analyzer (45 seconds) [INFO] Finished File Name Analyzer (0 seconds) [INFO] Finished Jar Analyzer (18 seconds) [INFO] Finished Assembly Analyzer (6 seconds) [INFO] Finished Node.js Package Analyzer (0 seconds) [INFO] Finished Dependency Merging Analyzer (15 seconds) [INFO] Finished Version Filter Analyzer (0 seconds) [INFO] Finished Hint Analyzer (0 seconds) [INFO] Created CPE Index (2 seconds) [INFO] Finished CPE Analyzer (34 seconds) [INFO] Finished False Positive Analyzer (0 seconds) [INFO] Finished NVD CVE Analyzer (4 seconds) [INFO] Finished RetireJS Analyzer (15 seconds) [INFO] Finished Vulnerability Suppression Analyzer (4 seconds) [INFO] Finished Dependency Bundling Analyzer (26332 seconds) [INFO] Analysis Complete (27066 seconds)
So to me - the real issue is the dependency bundling analyzer. I have thoughts on how to resolve this as it is currently something like an O(N^2) operation (my big o notation/evaluation is a bit rusty) and I know we can split it up into chunks and parallelize the analysis. However, that is a different problem then this ticket - I digress...
@sellersj https://github.com/sellersj as you have been able to reproduce the issue - does it actually go away with the changes made in
3419 https://github.com/jeremylong/DependencyCheck/pull/3419? Note
that there are DB schema changes (added a transaction around two operations
- but this only affects updating, not the DB reads that appear to cause things to hang).
— You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/jeremylong/DependencyCheck/issues/3408#issuecomment-854663700, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAABCJTGRJR2WH4POEE4SLTTRDAQ5ANCNFSM45WZKREQ .
jeremylong
commented
3 years ago If you were using H2 - one thing that might have been causing these issue could be related to a fix I just pushed to the mysql branch. See https://github.com/jeremylong/DependencyCheck/issues/3416#issuecomment-854708848
The updates around the transactions only affected mysql. I likely need to replicate the transactions on those two calls in oracle, ms sql, etc. - as it can cause slightly weird (but not catastrophic) things to occur. Everything will still work correctly - just might have some unexpected duplicate rows in the database.
sellersj
commented
3 years ago I updated my test project with a reproducible (on my laptop) test. The logs from 6.2.0 and 6.2.1-SNAPSHOT (what ever is in nexus snapshot) are included. https://github.com/sellersj/check-owasp-slow
It hangs on "Cache miss for" so I kill the script and it writes the final 3 lines of "Resetting Indexed File"
I'm not sure if you wanted to set the MaxWaitMillis setting to the connection pool. It might hide the error because the plugin resumes, but the process wouldn't hang indefinitely.
jeremylong
commented
3 years ago I am unable to observe the issue on my machine. I've tested 6.2.0 and some of the newer snapshot version.
sellersj
commented
3 years ago I think that I've figured out the reason why I'm seeing this behaviour.
I've been taking a quick look around dbcp2 to see if there's an easy way to store a Connection in a ThreadLocal or something similar but I have not found anything like that out of the box.
Maybe a bad idea. Might be better to pass the Connection object to the method in this case.
fcoene
commented
3 years ago My setup is internal db (I guess that is H2?), clean ODC maven plugin install, empty local maven repo, java 8. I see 8 errors from the NVD CVE Analyzer after the 1 hour timeout which would suggest/confirm the theory of lockup of 8 threads. Maybe to reproduce this, you need the local cache misses (i.e. an empty local maven repo)?
brecht-yperman-tb
commented
3 years ago Here is a thread dump from the problem occurring on a 12 core machine.
jeremylong
commented
3 years ago We just released 6.2.1 - this might fix part of the underlying issue. However, I suspect it will not fully resolve the hanging issue.
brecht-yperman-tb
commented
3 years ago Same issue with similar thread dump on 6.2.1
ssyzyg
commented
3 years ago Still see the stuck issue on 6.2.1 For now, I have to manually split the artifacts (jars) in multiple dependency check processes. And I have to read multiple reports.
DEBUG - Begin Analysis of '/home/.../lib/org.springframework.spring-aop-5.1.4.RELEASE.jar' (NVD CVE Analyzer)
2021-06-09 10:11:36,114 org.owasp.dependencycheck.data.nvdcve.CveDB:542
DEBUG - Cache miss for cpe:2.3:a:pivotal_software:spring_framework:5.1.4:release:*:*:*:*:*:*One tricky way is to scan packed file (e.g zip all the jars). This way worked for me when using v6.2.1 command line version.
./dependency-check.sh --project Dependency-Check \
--connectionString "jdbc:mysql://localhost/dependencycheck?serverTimezone=UTC" \
--dbDriverName=com.mysql.cj.jdbc.Driver \
--dbUser=xxx --dbPassword='xxx' \
--disableAssembly --disableNuspec \
--format=HTML --log=/tmp/scan.log \
--scan /xxx/target/com.plugin.zip
moritzluedtke
commented
3 years ago I can confirm this issue in 6.2.0 and 6.2.1 (maven and brew install). I then tried 6.1.6 with the maven plugin and that seems to work just fine.
My setup:
I purged the db and then let the check (homebrew install) run for way over an hour until it was finished and this was the resulting console output (shortenend):
dependency-check --out . --scan some-jar-1.0.1-SNAPSHOT.jar --disableAssembly --log owasp6.log
[...]
[INFO] Analysis Started
[INFO] Finished Archive Analyzer (2 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (0 seconds)
[INFO] Finished Central Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (2 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[ERROR] Analysis task was cancelled.
[WARN] An error occurred while analyzing '/var/folders/3p/czqsrbvj5fdc2cd38mlzxf94fslyz7/T/dctempd4b79305-cbcb-4cfd-adb9-e6f60ed77ddf/check3977533516090718012tmp/1/BOOT-INF/lib/jackson-dataformat-smile-2.11.4.jar' (NVD CVE Analyzer).
[WARN] An error occurred while analyzing '/var/folders/3p/czqsrbvj5fdc2cd38mlzxf94fslyz7/T/dctempd4b79305-cbcb-4cfd-adb9-e6f60ed77ddf/check3977533516090718012tmp/1/BOOT-INF/lib/zipkin-2.21.1.jar' (NVD CVE Analyzer).
[WARN] An error occurred while analyzing '/var/folders/3p/czqsrbvj5fdc2cd38mlzxf94fslyz7/T/dctempd4b79305-cbcb-4cfd-adb9-e6f60ed77ddf/check3977533516090718012tmp/1/BOOT-INF/lib/spring-webmvc-5.2.14.RELEASE.jar' (NVD CVE Analyzer).
[WARN] An error occurred while analyzing '/var/folders/3p/czqsrbvj5fdc2cd38mlzxf94fslyz7/T/dctempd4b79305-cbcb-4cfd-adb9-e6f60ed77ddf/check3977533516090718012tmp/1/BOOT-INF/lib/elasticsearch-geo-7.9.2.jar' (NVD CVE Analyzer).
[WARN] An error occurred while analyzing '/var/folders/3p/czqsrbvj5fdc2cd38mlzxf94fslyz7/T/dctempd4b79305-cbcb-4cfd-adb9-e6f60ed77ddf/check3977533516090718012tmp/1/BOOT-INF/lib/elasticsearch-rest-high-level-client-7.9.2.jar' (NVD CVE Analyzer).
[WARN] An error occurred while analyzing '/var/folders/3p/czqsrbvj5fdc2cd38mlzxf94fslyz7/T/dctempd4b79305-cbcb-4cfd-adb9-e6f60ed77ddf/check3977533516090718012tmp/1/BOOT-INF/lib/spring-beans-5.2.14.RELEASE.jar' (NVD CVE Analyzer).
[WARN] An error occurred while analyzing '/var/folders/3p/czqsrbvj5fdc2cd38mlzxf94fslyz7/T/dctempd4b79305-cbcb-4cfd-adb9-e6f60ed77ddf/check3977533516090718012tmp/1/BOOT-INF/lib/elasticsearch-secure-sm-7.9.2.jar' (NVD CVE Analyzer).
[WARN] An error occurred while analyzing '/var/folders/3p/czqsrbvj5fdc2cd38mlzxf94fslyz7/T/dctempd4b79305-cbcb-4cfd-adb9-e6f60ed77ddf/check3977533516090718012tmp/1/BOOT-INF/lib/elasticsearch-cli-7.9.2.jar' (NVD CVE Analyzer).
[WARN] An error occurred while analyzing '/var/folders/3p/czqsrbvj5fdc2cd38mlzxf94fslyz7/T/dctempd4b79305-cbcb-4cfd-adb9-e6f60ed77ddf/check3977533516090718012tmp/1/BOOT-INF/lib/elasticsearch-x-content-7.9.2.jar' (NVD CVE Analyzer).
[WARN] An error occurred while analyzing '/var/folders/3p/czqsrbvj5fdc2cd38mlzxf94fslyz7/T/dctempd4b79305-cbcb-4cfd-adb9-e6f60ed77ddf/check3977533516090718012tmp/1/BOOT-INF/lib/brave-instrumentation-kafka-streams-5.12.3.jar' (NVD CVE Analyzer).
[WARN] An error occurred while analyzing '/var/folders/3p/czqsrbvj5fdc2cd38mlzxf94fslyz7/T/dctempd4b79305-cbcb-4cfd-adb9-e6f60ed77ddf/check3977533516090718012tmp/1/BOOT-INF/lib/tomcat-embed-websocket-9.0.45.jar' (NVD CVE Analyzer).
[WARN] An error occurred while analyzing '/var/folders/3p/czqsrbvj5fdc2cd38mlzxf94fslyz7/T/dctempd4b79305-cbcb-4cfd-adb9-e6f60ed77ddf/check3977533516090718012tmp/1/BOOT-INF/lib/tomcat-embed-core-9.0.45.jar' (NVD CVE Analyzer).
[WARN] An error occurred while analyzing '/var/folders/3p/czqsrbvj5fdc2cd38mlzxf94fslyz7/T/dctempd4b79305-cbcb-4cfd-adb9-e6f60ed77ddf/check3977533516090718012tmp/1/BOOT-INF/lib/jackson-dataformat-cbor-2.11.4.jar' (NVD CVE Analyzer).
[WARN] An error occurred while analyzing '/var/folders/3p/czqsrbvj5fdc2cd38mlzxf94fslyz7/T/dctempd4b79305-cbcb-4cfd-adb9-e6f60ed77ddf/check3977533516090718012tmp/1/BOOT-INF/lib/simpleclient_common-0.8.1.jar' (NVD CVE Analyzer).
[WARN] An error occurred while analyzing '/var/folders/3p/czqsrbvj5fdc2cd38mlzxf94fslyz7/T/dctempd4b79305-cbcb-4cfd-adb9-e6f60ed77ddf/check3977533516090718012tmp/1/BOOT-INF/lib/rank-eval-client-7.9.2.jar' (NVD CVE Analyzer).
[WARN] An error occurred while analyzing '/var/folders/3p/czqsrbvj5fdc2cd38mlzxf94fslyz7/T/dctempd4b79305-cbcb-4cfd-adb9-e6f60ed77ddf/check3977533516090718012tmp/1/BOOT-INF/lib/spring-web-5.2.14.RELEASE.jar' (NVD CVE Analyzer).
[ERROR] One or more fatal errors occurred
[ERROR] org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error connecting to the database
[ERROR] org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error connecting to the database
[ERROR] org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error connecting to the database
[ERROR] org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error connecting to the database
[ERROR] org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error connecting to the database
[ERROR] org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error connecting to the database
[ERROR] org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error connecting to the database
[ERROR] org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error connecting to the database
[ERROR] org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error connecting to the database
[ERROR] org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error connecting to the database
[ERROR] org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error connecting to the database
[ERROR] org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error connecting to the database
[ERROR] org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error connecting to the database
[ERROR] org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error connecting to the database
[ERROR] org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error connecting to the database
[ERROR] org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error connecting to the databaseSince I have 8 cores with 16 threads (hyper threading) and I see 16 connection errors @sellersj idea of having all available threads connecting to the DB and maxing out the maximum allowed parallel connections seems plausible.
sscribani
commented
3 years ago I'm seeing the hang in 6.2.0 and 6.2.1 also. Version 6.1.6 is working fine.
moritzluedtke
commented
3 years ago Some more information: I saved the debug log from the last failed run. The run took 3 hours to complete.
I'm hesitant sharing the complete log as it may contain sensitive information (didn't check it all). But I can share the last normal log statement plus the following exceptions. So this is the end of the log: https://gist.github.com/moritzluedtke/1f94a79ec52336cfd73ea088a2e1c687
The console output was the same as in my last post.
Looking at the log as someone who doesn't know the codebase @sellersj idea sounds more and more to be the root cause.
meselfi
commented
3 years ago Hanging in 6.2.1. openjdk version "11.0.11" 2021-04-20 Apache Maven 3.8.1
$ mvn test org.owasp:dependency-check-maven:check
[DEBUG] Begin Analysis of '/home/somedude/.m2/repository/org/springframework/spring-web/5.2.3.RELEASE/spring-web-5.2.3.RELEASE.jar' (NVD CVE Analyzer) [DEBUG] Cache miss for cpe:2.3:a:pivotal_software:spring_framework:5.2.3:release:::::: [DEBUG] Cache miss for cpe:2.3:a:pivotal_software:spring_framework:5.2.3:release:::::: [DEBUG] Cache miss for cpe:2.3:a:pivotal_software:spring_framework:5.2.3:release:::::: [DEBUG] Cache miss for cpe:2.3:a:pivotal_software:spring_framework:5.2.3:release::::::
meselfi
commented
3 years ago Seems 8 is a magical number here. The last library logged differs from one run to the next but it always hangs after 8 cache miss log statements with mvn -X option.
[DEBUG] Starting NVD CVE Analyzer [DEBUG] Parallel processing with up to 8 threads: NVD CVE Analyzer. ... [DEBUG] Cache miss for cpe:2.3:a:pivotal_software:spring_framework:5.2.3:release::::::
cstsw
commented
3 years ago I ran into this issue with the gradle-plugin of dependency check when upgrading from 6.1.6 to 6.2.0.
When, according to the lock, "Finished False Positive Analyzer (0 seconds)" has happened, the execution is stuck. So I did a thread dump via jvisualvm and there are two peculiarities where 8 threads, respectively, are waiting to lock monitors:
org.owasp.dependencycheck.data.nvdcve.DatabaseManager.getConnection(DatabaseManager.java:557) (all 8 stack traces look like this and wait for the same monitor):"pool-110-thread-3" #422 prio=5 os_prio=0 cpu=15.63ms elapsed=747.83s tid=0x0000021ecfc29800 nid=0x2c44 waiting on condition [0x000000c7a91fe000]
java.lang.Thread.State: WAITING (parking)
at jdk.internal.misc.Unsafe.park(java.base@11.0.11/Native Method)
- parking to wait for <0x00000000f0741698> (a java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject)
at java.util.concurrent.locks.LockSupport.park(java.base@11.0.11/LockSupport.java:194)
at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(java.base@11.0.11/AbstractQueuedSynchronizer.java:2081)
at org.apache.commons.pool2.impl.LinkedBlockingDeque.takeFirst(LinkedBlockingDeque.java:581)
at org.apache.commons.pool2.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:437)
at org.apache.commons.pool2.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:354)
at org.apache.commons.dbcp2.PoolingDataSource.getConnection(PoolingDataSource.java:134)
at org.apache.commons.dbcp2.BasicDataSource.getConnection(BasicDataSource.java:734)
at org.owasp.dependencycheck.data.nvdcve.DatabaseManager.getConnection(DatabaseManager.java:557)(Code base is of dependency check 6.2.0.)
at jdk.internal.misc.Unsafe.park(java.base@11.0.11/Native Method)
- parking to wait for <0x00000000e0068470> (a java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject)
at java.util.concurrent.locks.LockSupport.park(java.base@11.0.11/LockSupport.java:194)
at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(java.base@11.0.11/AbstractQueuedSynchronizer.java:2081)
at java.util.concurrent.LinkedBlockingQueue.take(java.base@11.0.11/LinkedBlockingQueue.java:433)
at java.util.concurrent.ThreadPoolExecutor.getTask(java.base@11.0.11/ThreadPoolExecutor.java:1054)
at java.util.concurrent.ThreadPoolExecutor.runWorker(java.base@11.0.11/ThreadPoolExecutor.java:1114)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(java.base@11.0.11/ThreadPoolExecutor.java:628)
at org.gradle.internal.concurrent.ThreadFactoryImpl$ManagedThreadRunnable.run(ThreadFactoryImpl.java:56)
at java.lang.Thread.run(java.base@11.0.11/Thread.java:829)(I can provide a full thread dump if needed.)
As it appears to be a concurrency issue I looked at the changes between 6.1.6 and 6.2.0:
org.owasp.dependencycheck.data.nvdcve.ConnectionFactory (in 6.1.6) with org.owasp.dependencycheck.data.nvdcve.DatabaseManager (in 6.2.0). The classes look quite similar but differ in respect to synchronization: in the old ConnectionFactory the methods initialize, cleanup and getConnection were synchronized whereas in the new DatabaseManager they are not.open and close of DatabaseManager are not synchronized but should probably be.Another difference that may or may not contribute to this issue is the fact that in org.owasp.dependencycheck.Engine.openDatabase there is a database.open(); statement in 6.2.0 that is not present in 6.1.6. (database is an instance of CveDB which uses DatabaseManager and the open method of the former calls the correspondent method of the latter.)
jeremylong
commented
3 years ago Thanks @sellersj for the PR. I'll push a release shortly.
Hello, been trying to use dependency check on one of my projects, but when it gets to one of the modules and the NVD CVE Analyzer is about to start it gets stuck for about 30min and then this message pops up.
Been getting the same message on other projects aswell. I'm using the maven command "mvn org.owasp:dependency-check-maven:6.2.0-SNAPSHOT:check" to run it. Anyone know a fix to this?
EDIT : If i run the same command but with the -X flag (debug output) for some reason it doesnt get stuck "mvn org.owasp:dependency-check-maven:6.2.0-SNAPSHOT:check -X"