TransportException: Unexpected response; status: 500 from dependency-check-maven 8.0.0

[mjrother]

Describe the bug I have 3 separate maven projects that should have same settings and plugins in the pom.xml file. All the projects build and deploy fine. When I try the dependency-check:aggregate target, 2 of the projects work as expected. The third projects fails in the dependency-check processing.

Version of dependency-check used I am using the 8.0.0 version of the maven plugin.

Log file There are 8 stack traces similar to this: [DEBUG] POST https://ossindex.sonatype.org/api/v3/component-report; payload: {"coordinates":["pkg:maven/org.hibernate.validator/hibernate-validator-annotation-processor@6.2.5.Final","pkg:maven/org.apache.httpcomponents/httpclient@4.5","pkg:maven/org.opensaml/opensaml-profile-api@3.4.6","pkg:maven/org.jboss.javaee/jboss-transaction-api@1.0.1.GA","pkg:maven/org.springframework.ldap/spring-ldap-core@2.4.1","pkg:maven/com.squareup.okhttp/okhttp@2.7.5","pkg:maven/pentaho-kettle/kettle-core@9.2.0.0-290","pkg:maven/org.pentaho/metastore@9.2.0.0-290","pkg:maven/org.glassfish.jaxb/jaxb-core@3.0.2","pkg:maven/com.sapiens.coresuite.zk/midnightblue-theme-zk9@8.2.6","pkg:maven/com.google.protobuf/protobuf-java@3.19.4","pkg:maven/com.fasterxml.jackson.module/jackson-module-jaxb-annotations@2.13.4","pkg:maven/org.apache.hadoop/hadoop-hdfs-client@3.3.1","pkg:maven/jgroups/jgroups@2.6.13.GA","pkg:maven/com.lowagie/itext@2.1.7.js10","pkg:maven/org.springframework.boot/spring-boot-devtools@2.7.5","pkg:maven/org.jboss.cache/jbosscache-core@%24%7Bjbosscache-core-version%7D","pkg:maven/org.opensaml/opensaml-saml-impl@3.4.6","pkg:maven/org.opensaml/opensaml-security-impl@3.4.6","pkg:maven/com.sapiens.coresuite.zk/mysteriousgreen-theme-zk9@8.2.6","pkg:maven/org.apache.xmlbeans/xmlbeans@3.1.0","pkg:maven/org.opensaml/opensaml-xmlsec-impl@3.4.6","pkg:maven/io.dropwizard.metrics/metrics-core@4.2.12","pkg:maven/org.apache.httpcomponents/httpmime@4.5.13","pkg:maven/com.googlecode.jmockit/jmockit@1.3","pkg:maven/org.opensaml/opensaml-xacml-api@3.4.6","pkg:maven/org.jboss/jboss-common-core@2.2.14.GA","pkg:maven/org.springframework.security/spring-security-ldap@5.7.4","pkg:maven/junit/junit@4.12","pkg:maven/org.opensaml/opensaml-core@3.4.6","pkg:maven/com.squareup.okio/okio@1.6.0","pkg:maven/org.springframework/spring-oxm@5.3.23","pkg:maven/org.opensaml/opensaml-xacml-saml-impl@3.4.6","pkg:maven/org.opensaml/opensaml-xacml-impl@3.4.6","pkg:maven/com.fasterxml.woodstox/woodstox-core@5.2.1","pkg:maven/org.opensaml/opensaml-security-api@3.4.6","pkg:maven/org.opensaml/opensaml-saml-api@3.4.6","pkg:maven/org.jboss.logging/jboss-logging-spi@2.0.5.GA","pkg:maven/org.jboss.cache/jbosscache-core@3.2.7.GA","pkg:maven/org.apache.httpcomponents/httpmime@4.5.3","pkg:maven/org.mozilla/javascript@1.7.5","pkg:maven/com.sun.istack/istack-commons-runtime@4.0.1","pkg:maven/net.shibboleth.utilities/java-support@7.5.2","pkg:maven/javax.ws.rs/javax.ws.rs-api@2.1.1","pkg:maven/org.eclipse.swt/org.eclipse.swt@4.3","pkg:maven/org.pentaho/kettle-ui-swt@9.2.0.0-290","pkg:maven/pentaho-kettle/kettle-engine@9.2.0.0-290","pkg:maven/org.apache.santuario/xmlsec@2.2.2","pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-xml@2.12.4","pkg:maven/com.sapiens.coresuite.zk/sapiens-theme-zk9@8.2.6","pkg:maven/org.eclipse.jface/org.eclipse.jface@3.22.0","pkg:maven/joda-time/joda-time@2.10.10","pkg:maven/org.jasypt/jasypt@1.9.3","pkg:maven/pentaho-kettle/kettle-dbdialog@9.2.0.0-290","pkg:maven/org.codehaus.woodstox/stax2-api@4.2","pkg:maven/org.opensaml/opensaml-xacml-saml-api@3.4.6","pkg:maven/org.hdpagination/hdpagination@1.1","pkg:maven/pentaho/metastore@9.2.0.0-290","pkg:maven/com.fasterxml.woodstox/woodstox-core@6.2.4","pkg:maven/org.opensaml/opensaml-xmlsec-api@3.4.6","pkg:maven/pentaho-kettle/kettle-ui-swt@9.2.0.0-290","pkg:maven/javax.validation/validation-api@2.0.1.Final","pkg:maven/org.apache.wss4j/wss4j-ws-security-common@2.3.2","pkg:maven/com.google.guava/guava@30.1-jre","pkg:maven/com.squareup.okio/okio@2.8.0","pkg:maven/com.sapiens.coresuite.zk/webtier-framework@8.2.6","pkg:maven/com.squareup.okhttp3/okhttp@4.9.3","pkg:maven/org.opensaml/opensaml-soap-api@3.4.6","pkg:maven/org.pentaho/pentaho-encryption-support@9.2.0.0-290"]} (application/vnd.ossindex.component-report-request.v1+json); accept: application/vnd.ossindex.component-report.v1+json [DEBUG] Connecting to: https://ossindex.sonatype.org/api/v3/component-report [DEBUG] Error requesting component reports, disabling the analyzer org.sonatype.ossindex.service.client.transport.Transport$TransportException: Unexpected response; status: 500 at org.sonatype.ossindex.service.client.transport.HttpUrlConnectionTransport.post (HttpUrlConnectionTransport.java:106) at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.doRequestComponentReports (OssindexClientImpl.java:204) at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.requestComponentReports (OssindexClientImpl.java:170) at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.requestReports (OssIndexAnalyzer.java:219) at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:134) at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131) at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88) at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37) at java.util.concurrent.FutureTask.run (FutureTask.java:264) at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1136) at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:635) at java.lang.Thread.run (Thread.java:833) [WARNING] An error occurred while analyzing 'C:\Users\Michael.Rother.m2\repository\org\glassfish\jaxb\jaxb-runtime\2.3.7\jaxb-runtime-2.3.7.jar' (Sonatype OSS Index Analyzer). [DEBUG] org.owasp.dependencycheck.analyzer.exception.AnalysisException: Failed to request component-reports at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:155) at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131) at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88) at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37) at java.util.concurrent.FutureTask.run (FutureTask.java:264) at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1136) at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:635) at java.lang.Thread.run (Thread.java:833) Caused by: org.sonatype.ossindex.service.client.transport.Transport$TransportException: Unexpected response; status: 500 at org.sonatype.ossindex.service.client.transport.HttpUrlConnectionTransport.post (HttpUrlConnectionTransport.java:106) at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.doRequestComponentReports (OssindexClientImpl.java:204) at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.requestComponentReports (OssindexClientImpl.java:170) at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.requestReports (OssIndexAnalyzer.java:219) at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:134) at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131) at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88) at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37) at java.util.concurrent.FutureTask.run (FutureTask.java:264) at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1136) at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:635) at java.lang.Thread.run (Thread.java:833)

Expected behavior To process the project and generate the report.

Additional context

[aikebah]

Try to reduce your scan to the failing artifact and report an issue at Sonatype OSSIndex. your issue is similar to #5154 and #5216

[aikebah]

Prime suspect to look at would be pkg:maven/jgroups/jgroups@2.6.13.GA as #5154 is about a slightly later version of the same JGroups library, so they likely run into the same internal issue of OSSIndex

[aikebah]

Checked jgroups dependency on the online search... it turns out to be another one that is giving you the HTTP 500 result from OSSIndex

[aikebah]

Best approach for nailing down which dependency is hurting you would be bi-secting from the logged payload using tools like Postman to directly call the OSSIndex API (HTTP POST to https://ossindex.sonatype.org/api/v3/component-report) with first/second half of the packageURLs from the logged payload as the data.

Either first or second half of the logged payload will run into HTTP 500 (worst case: both would.... and you would have more than one dependency for which OSSIndex triggers some internal error trying to construct the report on known vulnerabilities on their side) The failing half you continue to split into two halfs and test them until you find the culprit library and then reach out to Sonatype to inform them that the given artifact coordinates trigger an internal server error.

[aikebah]

For the failing package you'll be able to trigger the same error on their search web interface (https://ossindex.sonatype.org/search) pasting the packageURL in the search-field and keeping the dropdown to the default 'all ecosystems' If you don't have access to tools to fire API requests directly you could use that same form to try the package-urls from the payload one by one (would likely take you more time to find the problematic library compared to the bi-secting)

[aikebah]

Note that as a workaround until Sonatype OSSIndex has fixed the issue you can configure your maven builds to only warn you about the error with the new ossIndexWarnOnlyOnRemoteErrors configuration option introduced in v8.0.0 (#5300 , with a chance on false negatives for vulnerabilities that are only registered within OSSIndex)

[mjrother]

Thanks for the help.