Closed nhenneaux closed 2 years ago
We're facing the same issue since this morning.
We're facing the same issue as well
We have the same issue with 6.5.3 and 7.1.0 as well as 7.0.4.
Maybe it's related to some breaking changes in OSS index -> https://ossindex.sonatype.org/updates-notice
We have the same issue with 7.1.0 since this morning.
Maybe it's related to some breaking changes in OSS index -> https://ossindex.sonatype.org/updates-notice
Could be as I receive the following error along the mentioned error:
AnalysisException: OSS Index rate limit exceeded
caused by TransportException: Unexpected response; status: 429
We can confirm. Have the same issues with 7.1.0
and it is breaking our CI infrastructure.
[ERROR] AnalysisException: Failed to request component-reports
[ERROR] caused by NullPointerException: Cannot invoke "org.sonatype.goodies.packageurl.PackageUrl.toString()" because "coordinates" is null
[ERROR] AnalysisException: OSS Index rate limit exceeded
[ERROR] caused by TransportException: Unexpected response; status: 429
[ERROR] AnalysisException: OSS Index rate limit exceeded
For mvn users, you can, for the moment, disable the OSS Index analyzer, add the following to your plugin configuration:
<ossindexAnalyzerEnabled>false</ossindexAnalyzerEnabled>
We use the cli and have disabled it with the --disableOssIndex
flag
When using Maven, you can also skip it via the mvn
command to avoid having to adapt your plugin configuration in the pom.xml
:
mvn verify -DossindexAnalyzerEnabled=false
Same issue here with 7.1.0
For gradle users you can disable OSS index by adding following line to your dependencycheck plugin: analyzers.ossIndexEnabled = false Checked with org.owasp.dependencycheck version "7.1.0.1"
@Regginator94 hello, I have added analyzers.ossIndexEnabled = false to the dependencyCheck section in the gradle file:
dependencyCheck {
failBuildOnCVSS=0
analyzers.ossIndexEnabled = false
}
But I am getting some errors anyway:
An error occurred while analyzing '/var/folders/r3/[...]/check17952063436082747962tmp/332/jacocoagent.jar' (Sonatype OSS Index Analyzer).
And I am using the version 7.1.0.1 for the dependency check plugin:
id "org.owasp.dependencycheck" version "7.1.0.1"
Ok it works now. 👍
As per https://github.com/jeremylong/DependencyCheck/issues/4538 it looks like the root cause is index rate limiting that can be bypassed by registering and providing credentials, so maybe one doesn't need to disable the analyser.
It works by providing valid Sonatype credentials. Register at https://ossindex.sonatype.org/user/register.
For Maven users:
Specify a server in your Maven settings ~/.m2/settings.xml
(default location)
<servers>
<server>
<id>SERVER_ID</id>
<username>USERNAME</username>
<password>PASSWORD_OR_API_TOKEN</password>
</server>
</servers>
Configure the dependency-check-maven
plugin in your pom.xml
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<configuration>
<ossIndexServerId>SERVER_ID</ossIndexServerId>
</configuration>
</plugin>
Hi All, Sonatype OSSI Product Manager here. Firstly, sorry that this caused you all trouble. The best path here is to make authenticated requests as not only will that increase your rate limit but will also provide you with the most complete/accurate data.
We are also investigating whether we can increase the anonymous rate limit specifically for Dependency Check and Dependency Track. I'll drop an update here later today.
I don't think it was related to credentials as we were already providing OSS credentials for several months when I reported the issue this morning.
Thanks @nhenneaux. We'll get this rolled back and then we can work together to make the necessary changes to dependency check to support the new IDs.
For maven users, it helps with
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>7.1.0</version>
<configuration>
<skipSystemScope>true</skipSystemScope>
<assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
<ossindexAnalyzerEnabled>false</ossindexAnalyzerEnabled>
<reportSets>
<reportSet>
<reports>
<report>aggregate</report>
</reports>
</reportSet>
</reportSets>
</configuration>
</plugin>
Thanks @nhenneaux. We'll get this rolled back and then we can work together to make the necessary changes to dependency check to support the new IDs.
@jlstephens89 - Does this mean that we don't need to provide credentials? I still don't quite understand why providing the credentials has fixed it for us, and many here, yet some are reporting that it has not addressed their issue.
See https://github.com/jeremylong/DependencyCheck/issues/4539#issuecomment-1137183801
@jlstephens89 see my email about the missing coordinates in the API response causing an NPE...
@jeremylong Thanks, well spotted. Looks like this is another bug. We're investigating now.
Okay we've fixed the bug that was dropping the coordinates field and released. That should remove the NPE. We've hopefully also sorted the rate limit issue. It'd be great if someone could test and let me know.
@jlstephens89 Which tag/version? I'd happily test. Don't see anything newer than 7.1.0 here yet: https://github.com/jeremylong/DependencyCheck/releases
@jlstephens89 Which tag/version? I'd happily test. Don't see anything newer than 7.1.0 here yet: https://github.com/jeremylong/DependencyCheck/releases
We've fixed it in OSSIndex itself so you shouldn't have to change your DependencyCheck version
After retrying after your fix, we receive now the following Error:
java.lang.NullPointerException: Cannot invoke "java.net.URI.toString()" because the return value of "org.sonatype.ossindex.service.api.componentreport.ComponentReportVulnerability.getReference()" is null at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform (OssIndexAnalyzer.java:350) at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5 (OssIndexAnalyzer.java:256) at java.util.stream.ReferencePipeline$3$1.accept (ReferencePipeline.java:197) at java.util.ArrayList$ArrayListSpliterator.forEachRemaining (ArrayList.java:1625) at java.util.stream.AbstractPipeline.copyInto (AbstractPipeline.java:509) at java.util.stream.AbstractPipeline.wrapAndCopyInto (AbstractPipeline.java:499) at java.util.stream.ForEachOps$ForEachOp.evaluateSequential (ForEachOps.java:150) at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential (ForEachOps.java:173) at java.util.stream.AbstractPipeline.evaluate (AbstractPipeline.java:234) at java.util.stream.ReferencePipeline.forEachOrdered (ReferencePipeline.java:601) at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich (OssIndexAnalyzer.java:257) at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:163) at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131) at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88) at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37) at java.util.concurrent.FutureTask.run (FutureTask.java:264) at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1136) at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:635) at java.lang.Thread.run (Thread.java:833)
No credentials used at our side.
After retrying after your fix, we receive now the following Error:
java.lang.NullPointerException: Cannot invoke "java.net.URI.toString()" because the return value of "org.sonatype.ossindex.service.api.componentreport.ComponentReportVulnerability.getReference()" is null
No credentials used at our side.
Thanks @nikonovd, working on it.
@jlstephens89 Seems to be working for me on latest version. Tested both in our AWS pipeline running the OWASP scan and locally on my dev machine. Seem to have found a new identified vulnerability as well.
spring-security-crypto-5.7.1.jar: CVE-2020-5408(6.5)
.
Thanks.
edit: command issued: mvn -DskipTests=true --no-transfer-progress -Powasp clean org.owasp:dependency-check-maven:aggregate
our owasp profile:
<profile>
<id>owasp</id>
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${org.owasp.dependency.version}</version>
<configuration>
<suppressionFiles>${project.monoBasePath}/alp-owasp-suppressions.xml</suppressionFiles>
<failBuildOnCVSS>1</failBuildOnCVSS>
<enableExperimental>true</enableExperimental>
<yarnAuditAnalyzerEnabled>true</yarnAuditAnalyzerEnabled>
<retireJsAnalyzerEnabled>true</retireJsAnalyzerEnabled>
<!-- .Disable Net content-->
<assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
<nugetconfAnalyzerEnabled>false</nugetconfAnalyzerEnabled>
<nuspecAnalyzerEnabled>false</nuspecAnalyzerEnabled>
<formats>
<format>ALL</format>
</formats>
</configuration>
<executions>
<execution>
<goals>
<goal>aggregate</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
<dependencies>
<dependency>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${org.owasp.dependency.version}</version>
<scope>test</scope>
</dependency>
</dependencies>
</profile>
@jlstephens89 Seems to be working for me on latest version. Tested both in our AWS pipeline running the OWASP scan and locally on my dev machine. Seem to have found a new identified vulnerability as well.
spring-security-crypto-5.7.1.jar: CVE-2020-5408(6.5)
.Thanks.
@norrs That's great news
After retrying after your fix, we receive now the following Error:
java.lang.NullPointerException: Cannot invoke "java.net.URI.toString()" because the return value of "org.sonatype.ossindex.service.api.componentreport.ComponentReportVulnerability.getReference()" is null
No credentials used at our side.
Do you know which component this was against?
After retrying after your fix, we receive now the following Error:
java.lang.NullPointerException: Cannot invoke "java.net.URI.toString()" because the return value of "org.sonatype.ossindex.service.api.componentreport.ComponentReportVulnerability.getReference()" is null
No credentials used at our side.Do you know which component this was against?
sorry, i updated the full stacktrace into my previous comment.
I'm getting these errors:
Failed to fetch component-report for: pkg:maven/org.bouncycastle/bcprov-jdk15on@1.68
java.lang.NullPointerException
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:350)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5(OssIndexAnalyzer.java:256)
at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655)
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.base/java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:502)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:257)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:163)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Failed to fetch component-report for: pkg:maven/xerces/xercesImpl@2.12.1
java.lang.NullPointerException
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:350)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5(OssIndexAnalyzer.java:256)
at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655)
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.base/java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:502)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:257)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:163)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Getting some errors, but the build is successful:
Failed to fetch component-report for: pkg:maven/io.github.classgraph/classgraph@4.8.60
java.lang.NullPointerException
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:339)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5(OssIndexAnalyzer.java:245)
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1384)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
at java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:490)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:246)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:158)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Failed to fetch component-report for: pkg:maven/com.google.guava/guava@30.1-jre
java.lang.NullPointerException
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:339)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5(OssIndexAnalyzer.java:245)
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1384)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
at java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:490)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:246)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:158)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Failed to fetch component-report for: pkg:maven/org.bouncycastle/bcprov-jdk15on@1.68
java.lang.NullPointerException
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:339)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5(OssIndexAnalyzer.java:245)
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1384)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
at java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:490)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:246)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:158)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Failed to fetch component-report for: pkg:maven/xerces/xercesImpl@2.12.1
java.lang.NullPointerException
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:339)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5(OssIndexAnalyzer.java:245)
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1384)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
at java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:490)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:246)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:158)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
> Task :dependencyCheckAnalyze
Generating report for project test
Found 2 vulnerabilities in project test
One or more dependencies were identified with known vulnerabilities in test:
json-smart-2.3.jar (pkg:maven/net.minidev/json-smart@2.3, cpe:2.3:a:ini-parser_project:ini-parser:2.3:*:*:*:*:*:*:*, cpe:2.3:a:json-smart_project:json-smart-v2:2.3:*:*:*:*:*:*:*) : CVE-2021-31684
xercesImpl-2.12.1.jar (pkg:maven/xerces/xercesImpl@2.12.1) : CVE-2022-23437
See the dependency-check report for more details.
BUILD SUCCESSFUL in 1m 56s
Not getting those warnings if I use credentials on the gradle plugin
I am getting the following:
Failed to fetch component-report for: pkg:maven/xerces/xercesImpl@2.12.0
java.lang.NullPointerException
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:350)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5(OssIndexAnalyzer.java:256)
at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655)
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.base/java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:502)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:257)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:163)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
One or more dependencies were identified with known vulnerabilities in example-app:
xercesImpl-2.12.0.jar (pkg:maven/xerces/xercesImpl@2.12.0) : CVE-2022-23437
and the build isn't successful.
Also getting those exceptions, for the packages:
[WARNING] Failed to fetch component-report for: pkg:maven/commons-codec/commons-codec@1.10
[WARNING] Failed to fetch component-report for: pkg:maven/commons-codec/commons-codec@1.11
[WARNING] Failed to fetch component-report for: pkg:maven/io.netty/netty-codec@4.1.53.Final
[WARNING] Failed to fetch component-report for: pkg:maven/io.netty/netty-handler@4.1.53.Final
[WARNING] Failed to fetch component-report for: pkg:maven/org.bouncycastle/bcprov-jdk15on@1.68
[WARNING] Failed to fetch component-report for: pkg:maven/org.geolatte/geolatte-geom@0.15
Fix released and tested for the latest NPE's. Test again and let me know if there are any more issues (also super sorry to disrupt everyone's day!)
@jlstephens89 thanks for your help but it still doesn't work in my case. I can still see the NPEs and it still raises some dependencies as vulnerable. If I disable the analyser it works ok, so no NPEs nor vulnerabilities.
Do I need to do anything in my gradle file? I am using the version 7.1.0.1 of the dependencycheck plugin.
@jlstephens89 thanks for your help but it still doesn't work in my case. I can still see the NPEs and it still raises some dependencies as vulnerable. If I disable the analyser it works ok, so no NPEs nor vulnerabilities.
Do I need to do anything in my gradle file? I am using the version 7.1.0.1 of the dependencycheck plugin.
@antonilic you should not need to make any changes to your build file, it is all changes on OSSIndex. Can you provide a strack trace? Its possibly now related to your cache (see https://github.com/jeremylong/DependencyCheck/issues/4527#issuecomment-1137290349). Can you provide a stack trace again?
Hello, thanks for the comment. I have provided a stack trace in a comment above:
https://github.com/jeremylong/DependencyCheck/issues/4535#issuecomment-1137269719
@jlstephens89, I too am still seeing errors
Failed to fetch component-report for: pkg:maven/org.glassfish.jersey.core/jersey-common@2.5.1 java.lang.NullPointerException at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:350) at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5(OssIndexAnalyzer.java:256) at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195) at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655) at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150) at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173) at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) at java.base/java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:502) at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:257) at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:163) at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131) at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88) at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:829)
@jlstephens89 I mentioned earlier that it found a new security issue, I looked a bit closer into it and it seems to be a false report: https://github.com/jeremylong/DependencyCheck/issues/4528#issuecomment-1136062589 . Related to these updates that are happening now to use your new databases?
Because 5.7.1 doesn't match the vulnerable version numbers as mentioned in the CVE-2020-5408 or json record you can view at cve.org.
EDIT: Might be a separate issue than this, and you can disregard this comment here and handle it in #4528 I suppose.
I have just tested one pipeline on my side and it works now, thanks for quick feedback and fixes @jlstephens89 @jeremylong !! :pray: I'm still waiting reports from all pipelines but it is progressing thanks for that!
@jlstephens89 I mentioned earlier that it found a new security issue, I looked a bit closer into it and it seems to be a false report: #4528 (comment) . Related to these updates that are happening now to use your new databases?
Because 5.7.1 doesn't match the vulnerable version numbers as mentioned in the CVE-2020-5408 or json record you can view at cve.org.
@norrs Its more likely that our research team have found that the public CVE information is incorrect. Our team of researchers go much deeper than anything else that is publicly available. Email me privately at jstephens@sonatype.com with the component and CVE information and I'll pass it on to the research team to double check for you and get you some more information.
@jlstephens89 I mentioned earlier that it found a new security issue, I looked a bit closer into it and it seems to be a false report: #4528 (comment) . Related to these updates that are happening now to use your new databases?
Because 5.7.1 doesn't match the vulnerable version numbers as mentioned in the CVE-2020-5408 or json record you can view at cve.org.
@jlstephens89: After supressing the found vulnerability, I still get a warning with NPE, But org.owasp:dependency-check-maven:aggregate report runs successfully tho.
Log:
[INFO] Analysis Started
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (0 seconds)
[INFO] Finished Node.js Package Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (0 seconds)
[INFO] Finished NPM CPE Analyzer (0 seconds)
[INFO] Created CPE Index (0 seconds)
[INFO] Finished CPE Analyzer (1 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished RetireJS Analyzer (16 seconds)
[WARNING] Failed to fetch component-report for: pkg:maven/javax.mail/mail@1.5.0-b01
java.lang.NullPointerException
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform (OssIndexAnalyzer.java:350)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5 (OssIndexAnalyzer.java:256)
at java.util.stream.ReferencePipeline$3$1.accept (ReferencePipeline.java:195)
at java.util.ArrayList$ArrayListSpliterator.forEachRemaining (ArrayList.java:1655)
at java.util.stream.AbstractPipeline.copyInto (AbstractPipeline.java:484)
at java.util.stream.AbstractPipeline.wrapAndCopyInto (AbstractPipeline.java:474)
at java.util.stream.ForEachOps$ForEachOp.evaluateSequential (ForEachOps.java:150)
at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential (ForEachOps.java:173)
at java.util.stream.AbstractPipeline.evaluate (AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.forEachOrdered (ReferencePipeline.java:502)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich (OssIndexAnalyzer.java:257)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:163)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run (FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:834)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (19 seconds)
[INFO] Writing report to: /*snip*/unit/alp/target/dependency-check-report.xml
[INFO] Writing report to: /*snip*/unit/alp/target/dependency-check-report.html
[INFO] Writing report to: /*snip*/unit/alp/target/dependency-check-report.json
[INFO] Writing report to: /*snip*/unit/alp/target/dependency-check-report.csv
[INFO] Writing report to: /*snip*/unit/alp/target/dependency-check-report.sarif
[INFO] Writing report to: /*snip*/unit/alp/target/dependency-check-junit.xml
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO]
[INFO] alp 1.0-SNAPSHOT ................................... SUCCESS [ 29.271 s]
*snip*
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 29.574 s
[INFO] Finished at: 2022-05-25T17:45:13+02:00
Do you want us to keep reporting the NPEs of artifacts we find in our builds? Or create new separate issue for each of em?
:thinking: This might be another error than the given issue title.
@norrs Thanks, that one has been reported a few times now and we're looking at it. Think we're getting to the bottom of this one NPE at a time. Hopefully this is the last 😅
@norrs can you test again now please?
@jlstephens89 Still NPE warning on: Failed to fetch component-report for: pkg:maven/javax.mail/mail@1.5.0-b01 java.lang.NullPointerException
EDIT: tried again at 26.may 12:36 CEST , still get the following stacktrace:
[WARNING] Failed to fetch component-report for: pkg:maven/javax.mail/mail@1.5.0-b01
java.lang.NullPointerException
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform (OssIndexAnalyzer.java:350)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5 (OssIndexAnalyzer.java:256)
at java.util.stream.ReferencePipeline$3$1.accept (ReferencePipeline.java:195)
at java.util.ArrayList$ArrayListSpliterator.forEachRemaining (ArrayList.java:1655)
at java.util.stream.AbstractPipeline.copyInto (AbstractPipeline.java:484)
at java.util.stream.AbstractPipeline.wrapAndCopyInto (AbstractPipeline.java:474)
at java.util.stream.ForEachOps$ForEachOp.evaluateSequential (ForEachOps.java:150)
at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential (ForEachOps.java:173)
at java.util.stream.AbstractPipeline.evaluate (AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.forEachOrdered (ReferencePipeline.java:502)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich (OssIndexAnalyzer.java:257)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:163)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run (FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:834)
Latest 7.1.0 release of dependency-check.
Also still failing on:
@hylkevds onec again apologies for not getting to the bottom of this sooner. Could I ask you to try again, I have made some changes that should hopefully take care of NPE. If this is not fixed for you, could I ask you to provide a stacktrace and the version of DependencyCheck you are using
Analysis failing since this morning with Sonatype OSS Index Analyzer
both dependency-check-maven:7.1.0 and dependency-check-maven:6.5.3 are impacted