Closed cirata-trev closed 5 months ago
The stacktrace from the gradle scan is:
Caused by: java.lang.NoClassDefFoundError: Could not initialize class org.apache.commons.text.StringEscapeUtils
at org.owasp.dependencycheck.reporting.EscapeTool.html(EscapeTool.java:74)
at org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.doInvoke(UberspectImpl.java:571)
at org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.invoke(UberspectImpl.java:554)
at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:221)
at org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:368)
at org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:492)
at org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:439)
at org.apache.velocity.runtime.RuntimeInstance.render(RuntimeInstance.java:1519)
at org.apache.velocity.runtime.RuntimeInstance.evaluate(RuntimeInstance.java:1450)
at org.apache.velocity.app.VelocityEngine.evaluate(VelocityEngine.java:239)
at org.owasp.dependencycheck.reporting.ReportGenerator.processTemplate(ReportGenerator.java:470)
at org.owasp.dependencycheck.reporting.ReportGenerator.processTemplate(ReportGenerator.java:428)
at org.owasp.dependencycheck.reporting.ReportGenerator.write(ReportGenerator.java:359)
at org.owasp.dependencycheck.reporting.ReportGenerator.write(ReportGenerator.java:326)
at org.owasp.dependencycheck.Engine.writeReports(Engine.java:1264)
at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.analyze(AbstractAnalyze.groovy:120)
at org.gradle.internal.reflect.JavaMethod.invoke(JavaMethod.java:125)
at org.gradle.api.internal.project.taskfactory.StandardTaskAction.doExecute(StandardTaskAction.java:58)
Looks like you have an incompatible version of apache commons-text on the classpath of your Gradle build that is overriding the transitive dependency of the Gradle plugin.
FYI dependencyCheck expects version 1.11.0 on the classpath
Based on your gist (the link you have put in was wrong, but I managed to uncover the gist based on your github account) I suspect that Gradle puts version 1.9.0 on the classpath
Which classpath is the dependency-check using? When I run the gradle dependencies task, the only time commons-text appears is as a spotbugs dependency (commons-text:1.10.0). However, the scanConfiguration property for the dependency-check does not include spotbugs, for obvious reasons.
./gradlew buildEnv
Ah, got it thanks. It looks like the nebula plugin was causing the issues. Thanks very much for the help, this is now resolved.
Describe the bug When running dependencyCheckAnalyze from gradle in our project, the report writing fails and we see the following in the gradle task output:
The debug log output isn't helpul in giving any more information. However, running ./gradlew dependencyCheckAnalyze --scan does show the stacktrace and a little more information which seems to indicate that the (Apache Commons) StringEscapeUtils class isn't found.
The dependency-check report is partially written and ends with:
Version of dependency-check used The problem occurs using version 9.1.0 of the gradle plugin.
Log file https://gist.github.com/wandisco-trev/a88fc49683ad68e2de4d22c0e0b1e175
To Reproduce Steps to reproduce the behavior:
Expected behavior I expect the report to be generated.
Additional context Using gradle 7.6.4 although the problem is also reproducible on gradle 8.5. Sometimes it manifests as the inability to find the Range.of(Comparable, Comparable) method.