search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.41k stars 1.27k forks source link

Dependency Check exited with an error code (exit code: 14). #5549

Open jiri-bocan opened 1 year ago

jiri-bocan commented 1 year ago

Describe the bug After updating to the latest version 8.1.2, some of the repo scans started failing with exit code 14.

Version of dependency-check used Installed prerequisite: .NET SDK 6.x (for Linux) via Azure pipeline. OWASP 8.1.2 downloaded and installed in a separate task. A scan task is as follows (OWASPDependencyCheck@0 deprecated, using dependency-check-build-task@6 instead; since the localInstallPath is specified, nothing is installed there):

- task: dependency-check-build-task@6
  displayName: 'OWASP Dependency Scanning (Linux)'
  inputs:
    projectName: '$(System.TeamProject)'
    scanPath: '$(Build.SourcesDirectory)'
    format: 'ALL'
    reportsDirectory: '$(Agent.TempDirectory)/dependency-scan-results'
    additionalArguments: '--proxyserver xxx --proxyport xxx'
    localInstallPath: '/workspace/_tool/owasp-dependency-check/8.1.2/x64/dependency-check/'
    dependencyCheckVersion: '8.1.2'

Log file

[INFO] Analysis Started
...
[WARN] An error occurred while analyzing '/workspace/42/s/.store/dotnet-reportgenerator-globaltool/5.1.19/dotnet-reportgenerator-globaltool/5.1.19/tools/net5.0/any/DotNetConfig.dll' (Sonatype OSS Index Analyzer).
...
[INFO] Analysis Complete (206 seconds)
[INFO] Writing report to: /workspace/_temp/dependency-scan-results/dependency-check-report.xml
[INFO] Writing report to: /workspace/_temp/dependency-scan-results/dependency-check-report.html
[INFO] Writing report to: /workspace/_temp/dependency-scan-results/dependency-check-report.json
[INFO] Writing report to: /workspace/_temp/dependency-scan-results/dependency-check-report.csv
[INFO] Writing report to: /workspace/_temp/dependency-scan-results/dependency-check-report.sarif
[INFO] Writing report to: /workspace/_temp/dependency-scan-results/dependency-check-jenkins.html
[INFO] Writing report to: /workspace/_temp/dependency-scan-results/dependency-check-junit.xml
[ERROR] Failed to request component-reports

Dependency Check completed with exit code 14.
Dependency Check reports:
[ '/workspace/_temp/dependency-scan-results/dependency-check-jenkins.html',
  '/workspace/_temp/dependency-scan-results/dependency-check-junit.xml',
  '/workspace/_temp/dependency-scan-results/dependency-check-report.csv',
  '/workspace/_temp/dependency-scan-results/dependency-check-report.html',
  '/workspace/_temp/dependency-scan-results/dependency-check-report.json',
  '/workspace/_temp/dependency-scan-results/dependency-check-report.sarif',
  '/workspace/_temp/dependency-scan-results/dependency-check-report.xml' ]
Dependency Check failed with message "Dependency Check exited with an error code (exit code: 14)."
##[error]Dependency Check exited with an error code (exit code: 14).
Ending Dependency Check...

Expected behavior Likely to throw a warning (or error) but proceed without failing the entire build.

Additional context Versions between 7.0.0. and 8.1.0 (including) have not reported the above-mentioned issue for a given repository.

jeremylong commented 1 year ago

See https://github.com/jeremylong/DependencyCheck/issues/5154 and the ticket we opened with the OSS Index: https://github.com/sonatype/ossindex-public/issues/42

jiri-bocan commented 1 year ago

Thanks, @jeremylong. But that ossindex issue seems unrelated to the exit code 14, right? Plus, as mentioned, we have not seen this in versions before 8.1.2.

jeremylong commented 1 year ago

Pretty much any non-fatal error will return an exit code of 14:

https://github.com/jeremylong/DependencyCheck/blob/b6c5ec3ed84aa703eb8e5d433437c533b7697c2b/cli/src/main/java/org/owasp/dependencycheck/App.java#L204-L209

Was85 commented 1 year ago

Running OWASP scan in the DevOps pipeline failed with the same error if the project targetFramweok is net standard. However, does setting the target to 452 or 462 work fine?

net452;net462

jiri-bocan commented 1 year ago

The team is using .NET Core 6. But will keep this in mind. Thanks, @Was85.

lachlann562 commented 1 year ago

I just encountered this morning as well, our devops pipeline failed for all projects.

In the report, they all show this error: java.lang.NullPointerException exception: org.owasp.dependencycheck.analyzer.exception.AnalysisException: java.lang.NullPointerException org.owasp.dependencycheck.analyzer.MSBuildProjectAnalyzer.analyzeDependency(MSBuildProjectAnalyzer.java:210) org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131) org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88) org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37) java.util.concurrent.FutureTask.run(FutureTask.java:266) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) java.lang.Thread.run(Thread.java:748) $enc.html($ex.getMessage())

jeremylong commented 1 year ago

@lachlann562 this is a different error - which will be fixed in 8.2.1.

SerPapanin commented 1 year ago

What about this issue? It closed in latest versions?