search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.33k stars 1.26k forks source link

Java Version check broken #6483

Closed ryanhamilton closed 6 months ago

ryanhamilton commented 7 months ago

Describe the bug "Non-supported Java Runtime: dependency-check requires at least Java 8 update 251 or higher." When I am running java 9. The attempt to parse the java version seems a worse idea than just letting the code fail or using reflection to check if it exists.

Version of dependency-check used classpath 'org.owasp:dependency-check-gradle:9.0.9'

Log file

ray@RYAN-BOX-1 F:\dev2\sqldash3\server
$ gradle dependencyCheckAnalyze
Starting a Gradle Daemon (subsequent builds will be faster)

> Task :server:dependencyCheckAnalyze FAILED
Non-supported Java Runtime: dependency-check requires at least Java 8 update 251 or higher.

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':server:dependencyCheckAnalyze'.
> dependency-check requires Java 8 update 251 or higher

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 40s
1 actionable task: 1 executed

ray@RYAN-BOX-1 F:\dev2\sqldash3\server
$ java -version
java version "9"
Java(TM) SE Runtime Environment (build 9+176)
Java HotSpot(TM) 64-Bit Server VM (build 9+176, mixed mode)

ray@RYAN-BOX-1 F:\dev2\sqldash3\server
$ gradle -version

------------------------------------------------------------
Gradle 7.6.4
------------------------------------------------------------

Build time:   2024-02-05 14:29:18 UTC
Revision:     e0bb3fc8cefad8432c9033cdfb12dc14facc9dd9

Kotlin:       1.7.10
Groovy:       3.0.13
Ant:          Apache Ant(TM) version 1.10.13 compiled on January 4 2023
JVM:          1.8.0_211 (Oracle Corporation 25.211-b12)
OS:           Windows 10 10.0 amd64

Code: https://github.com/jeremylong/DependencyCheck/blob/5df22e2a86ecef5822239122958403363f347641/core/src/main/java/org/owasp/dependencycheck/Engine.java#L1296

jeremylong commented 7 months ago

Did you look at the Java version in your call to gradle -version? From your output: JVM: 1.8.0_211

Gradle is using Java 8 update 211.

ryanhamilton commented 6 months ago

My bad. Thanks Jeremy.

FYI I've tried working with Synapsys blackduck and jfrog xray to perform CVE scans both have been terrible experiences. Yours was the only tool that worked well.

Blackduck literally know they show a lot of false positives for large java frameworks (https://community.synopsys.com/s/article/General-guidance-about-multiple-false-positives-from-Black-Duck-scan) " there are components that come from large frameworks (such as Java, OpenSSL, etc) which are commonly impacted by false positives" "For these cases, we generally recommend ignoring the component ".

JFrog marked my jar as fine and never detected any packages.

Perhaps consider starting a commercial offering :)