search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.42k stars 1.28k forks source link

Maven Plugin java.lang.NoClassDefFoundError after NVD download error #6161

Closed pippolino closed 11 months ago

pippolino commented 11 months ago

Describe the bug After an error downloading NVD from nist, via API, a java.lang.NoClassDefFoundError exception is thrown.

Version of dependency-check used The problem occurs using version 9.0.1 of the maven plugin

Log file

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:9.0.1:update-only (default-cli) on project update-nvd-data: An exception occurred while downloading updates. Please see the log file for more details.: Error updating the NVD Data: NVD Returned Status Code: 403 -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
Exception in thread "Thread-1" java.lang.NoClassDefFoundError: org/apache/commons/jcs3/engine/CacheStatus
    at org.apache.commons.jcs3.auxiliary.disk.AbstractDiskCache.getStatus(AbstractDiskCache.java:493)
    at org.apache.commons.jcs3.engine.control.CompositeCache.dispose(CompositeCache.java:1232)
    at org.apache.commons.jcs3.engine.control.CompositeCacheManager.freeCache(CompositeCacheManager.java:580)
    at org.apache.commons.jcs3.engine.control.CompositeCacheManager.freeCache(CompositeCacheManager.java:567)
    at java.base/java.util.concurrent.ConcurrentHashMap$KeySetView.forEach(ConcurrentHashMap.java:4696)
    at org.apache.commons.jcs3.engine.control.CompositeCacheManager.shutDown(CompositeCacheManager.java:620)
    at org.apache.commons.jcs3.engine.control.CompositeCacheManager.lambda$initialize$0(CompositeCacheManager.java:248)
    at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.lang.ClassNotFoundException: org.apache.commons.jcs3.engine.CacheStatus
    at org.codehaus.plexus.classworlds.strategy.SelfFirstStrategy.loadClass(SelfFirstStrategy.java:50)
    at org.codehaus.plexus.classworlds.realm.ClassRealm.unsynchronizedLoadClass(ClassRealm.java:271)
    at org.codehaus.plexus.classworlds.realm.ClassRealm.loadClass(ClassRealm.java:247)
    at org.codehaus.plexus.classworlds.realm.ClassRealm.loadClass(ClassRealm.java:239)
    ... 8 more
The process '/usr/bin/mvn' failed with exit code 1

Full log here

To Reproduce pom.xml used on pipeline

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>com.sample.devsecops</groupId>
    <artifactId>update-nvd-data</artifactId>
    <version>${revision}</version>
    <packaging>pom</packaging>

    <properties>
        <revision>1.0.0</revision>
        <dependency-check-version>9.0.1</dependency-check-version>
        <postgresql-version>42.7.0</postgresql-version>
        <nvdApiKey/>
        <dbDriverName/>
        <dbConnectionString/>
        <dbUser/>
        <dbPassword/>
    </properties>

    <dependencies>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>${dependency-check-version}</version>
                <executions>
                    <execution>
                        <goals>
                            <goal>update-only</goal>
                        </goals>
                    </execution>
                </executions>
                <dependencies>
                    <dependency>
                        <groupId>org.postgresql</groupId>
                        <artifactId>postgresql</artifactId>
                        <version>${postgresql-version}</version>
                    </dependency>
                </dependencies>
                <configuration>
                    <databaseDriverName>${dbDriverName}</databaseDriverName>
                    <connectionString>${dbConnectionString}</connectionString>
                    <databaseUser>${dbUser}</databaseUser>
                    <databasePassword>${dbPassword}</databasePassword>
                    <nvdApiKey>${nvdApiKey}</nvdApiKey>
                </configuration>
            </plugin>
        </plugins>
    </build>
</project>

Expected behavior No java.lang.NoClassDefFoundError

jeremylong commented 11 months ago

see #6141