Warnings when analysing jars

[rk7373]

Describe the bug Since Jan 13 2023 we have been errors on dependency-check when building packages

We are using maven plugin 3.6.2 and dependency check plugin 5.3.0

example 1 [WARNING] An error occurred while analyzing '.../.m2/repository/javax/ejb/javax.ejb-api/3.2.2/javax.ejb-api-3.2.2.jar' (Sonatype OSS Index Analyzer). [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:aggregate (default-cli) on project {appname}-parent: One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during analysis: [ERROR] Failed to request component-reports

example 2 [WARNING] An error occurred while analyzing '.../.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar' (Sonatype OSS Index Analyzer) [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:aggregate (default-cli) on project {appname}-parent: One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during analysis: [ERROR] Failed to request component-reports

currently using dependency check version 5.3.0, we have tried updating to 7.4.4 and 8.0.0

We have one app that uses logback classic and this completes the dependency check where as another app that is using the same version of logback classic is failing.

We have created a user account for oss index and specified the creds in the settings.xml so that we are not rate throttled but still unable to complete the dependency check

Version of dependency-check used maven plugin 3.6.2 and dependency check plugin 5.3.0

Log file 14:40:31 [DEBUG] Begin Analysis of '../check-dependency/war-build-test-2/code/web/static_files/node_modules/jquery/package.json' (Sonatype OSS Index Analyzer) 14:40:31 [DEBUG] Begin Analysis of '../check-dependency/war-build-test-2/code/web/static_files/node_modules/jquery-ui-dist/package.json' (Sonatype OSS Index Analyzer) 14:40:31 ndencycheck.analyzer.exception.AnalysisException: Failed to request component-reports 14:40:31 at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:145) 14:40:31 at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131) 14:40:31 at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88) 14:40:31 at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37) 14:40:31 at java.util.concurrent.FutureTask.run (FutureTask.java:266) 14:40:31 at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1149) 14:40:31 at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:624) 14:40:31 at java.lang.Thread.run (Thread.java:750) 14:40:31 Caused by: org.sonatype.ossindex.service.client.transport.Transport$TransportException: Unexpected response; status: 500

2023-01-20T09:28:20.331Z] [DEBUG] Begin Analysis of '../.m2/repository/org/quartz-scheduler/quartz/2.3.2/quartz-2.3.2.jar' (Sonatype OSS Index Analyzer) [2023-01-20T09:28:20.331Z] [DEBUG] Begin Analysis of '../.m2/repository/com/mchange/c3p0/0.9.5.4/c3p0-0.9.5.4.jar' (Sonatype OSS Index Analyzer) [2023-01-20T09:28:20.331Z] [DEBUG] Begin Analysis of '../.m2/repository/com/mchange/mchange-commons-java/0.2.15/mchange-commons-java-0.2.15.jar' (Sonatype OSS Index Analyzer) [2023-01-20T09:28:20.331Z] [DEBUG] Begin Analysis of '../.m2/repository/com/zaxxer/HikariCP-java7/2.4.13/HikariCP-java7-2.4.13.jar' (Sonatype OSS Index Analyzer) [2023-01-20T09:28:20.331Z] [DEBUG] Begin Analysis of '../.m2/repository/com/oracle/ojdbc6/11.2.0.3/ojdbc6-11.2.0.3.jar' (Sonatype OSS Index Analyzer) [2023-01-20T09:28:20.331Z] at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:145) [2023-01-20T09:28:20.331Z] at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131) [2023-01-20T09:28:20.331Z] at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88) [2023-01-20T09:28:20.331Z] at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37) [2023-01-20T09:28:20.331Z] at java.util.concurrent.FutureTask.run (FutureTask.java:266) [2023-01-20T09:28:20.331Z] at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1149) [2023-01-20T09:28:20.331Z] at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:624) [2023-01-20T09:28:20.331Z] at java.lang.Thread.run (Thread.java:750) [2023-01-20T09:28:20.331Z] Caused by: org.sonatype.ossindex.service.client.transport.Transport$TransportException: Unexpected response; status: 500 [2023-01-20T09:28:20.331Z] at org.sonatype.ossindex.service.client.transport.HttpUrlConnectionTransport.post (HttpUrlConnectionTransport.java:106) [2023-01-20T09:28:20.331Z] at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.doRequestComponentReports (OssindexClientImpl.java:204) [2023-01-20T09:28:20.331Z] at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.requestComponentReports (OssindexClientImpl.java:170) [2023-01-20T09:28:20.331Z] at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.requestReports (OssIndexAnalyzer.java:197) [2023-01-20T09:28:20.331Z] at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:138) [2023-01-20T09:28:20.331Z] at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131) [2023-01-20T09:28:20.331Z] at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88) [2023-01-20T09:28:20.331Z] at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37) [2023-01-20T09:28:20.331Z] at java.util.concurrent.FutureTask.run (FutureTask.java:266) [2023-01-20T09:28:20.331Z] at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1149) [2023-01-20T09:28:20.331Z] at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:624) [2023-01-20T09:28:20.331Z] at java.lang.Thread.run (Thread.java:750)

To Reproduce Steps to reproduce the behavior: In jenkins pipeline, run mvn package with dependency check

stage('Run owasp dependency report') { steps { dir(codeDir) { withMaven(maven: 'Maven 3.6.2') { withEnv(["JAVA_HOME=${path to java}"]) { sh "mvn package dependency-check:aggregate -DskipTests" } } } } }

Expected behavior dependency check report created

Additional context Add any other context about the problem here.

[mprins]

try a supported version: https://github.com/jeremylong/DependencyCheck/security/policy

[rk7373]

log when using 8.0.0

10:45:12 [WARNING] An error occurred while analyzing '../.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar' (Sonatype OSS Index Analyzer). 10:45:12 [DEBUG] 10:45:12 org.owasp.dependencycheck.analyzer.exception.AnalysisException: Failed to request component-reports 10:45:12 at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:155) 10:45:12 at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131) 10:45:12 at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88) 10:45:12 at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37) 10:45:12 at java.util.concurrent.FutureTask.run (FutureTask.java:266) 10:45:12 at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1149) 10:45:12 at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:624) 10:45:12 at java.lang.Thread.run (Thread.java:750) 10:45:12 Caused by: org.sonatype.ossindex.service.client.transport.Transport$TransportException: Unexpected response; status: 500

[rk7373]

Narrowed it down to two packages not available, 404 not found

• https://repo1.maven.org/maven2/org/jboss/cache/jbosscache-core/
• https://repo1.maven.org/maven2/net/sf/ehcache/sizeof-agent/

[rk7373]

Narrowed it down to two packages not available, 404 not found

https://repo1.maven.org/maven2/org/jboss/cache/jbosscache-core/ https://repo1.maven.org/maven2/net/sf/ehcache/sizeof-agent/

Reached out to maven central who have replied that the above artifacts have never been available on on repo1.maven.org

[jeremylong]

The error your are seeing is the same as reported for jgroups (#5154). This is failing on the OSS Index search:

https://ossindex.sonatype.org/component/pkg:maven/org.jboss.cache/jbosscache-core@3.2.7.GA

See https://github.com/sonatype/ossindex-public/issues/42

[jeremylong]

Best option at this point for the project is to disable the OSS Index Analyzer.