search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.31k stars 1.26k forks source link

Dependency-Check fails to scan zookeeper-3.4.13-fatjar.jar #3822

Open keren-orca opened 2 years ago

keren-orca commented 2 years ago

When running dependency-check on zookeeper-3.4.13-fatjar.jar it fails with the following error:

[WARN] An unexpected error occurred during analysis of 'zookeeper-3.4.13-fatjar.jar' (Jar Analyzer): Invalid signature file digest for Manifest main attributes
[ERROR]
java.lang.SecurityException: Invalid signature file digest for Manifest main attributes
    at java.base/sun.security.util.SignatureFileVerifier.processImpl(SignatureFileVerifier.java:317)
    at java.base/sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier.java:259)
    at java.base/java.util.jar.JarVerifier.processEntry(JarVerifier.java:273)
    at java.base/java.util.jar.JarVerifier.update(JarVerifier.java:230)
    at java.base/java.util.jar.JarFile.initializeVerifier(JarFile.java:759)
    at java.base/java.util.jar.JarFile.getInputStream(JarFile.java:840)
    at org.owasp.dependencycheck.analyzer.JarAnalyzer.retrievePomProperties(JarAnalyzer.java:513)
    at org.owasp.dependencycheck.analyzer.JarAnalyzer.analyzePOM(JarAnalyzer.java:442)
    at org.owasp.dependencycheck.analyzer.JarAnalyzer.analyzeDependency(JarAnalyzer.java:325)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:829)

Version of dependency-check used 6.5.0

Expected behavior Scan zookeeper-3.4.13-fatjar.jar without errors

nhumblot commented 2 years ago

Hi :wave:

Where this jar can be found? I do not find it from zookeeper archive page https://archive.apache.org/dist/zookeeper/zookeeper-3.4.13/

aikebah commented 2 years ago

The error message is essentially from Java's internal classes verifying the integrity of the jar before handing out its contents. It appears as if your jar-file contains an improper (ill-formatted) META-INF/MANIFEST.MF that triggers the java internals to throw an exception because the signatures of the jar are corrupt. So it appears to be a typical scenario of "garbage in = garbage out". You should check your fat-jar creation process and ensure that the fat jar is either not signed at all, or otherwise properly signed.

Also be aware that typically a fat-jar scenario will increase the likelyhood of false positives and false negatives due to the way that DependencyCheck does its scanning. Having all composing libraries side-by-side in a folder rather than squashed together in a single fat jar is likely to give a better analysis result.