search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.34k stars 1.26k forks source link

ODC container fails to connect to "central" #6994

Open elafontaine opened 2 days ago

elafontaine commented 2 days ago

Describe the bug Since the last update, our jobs have been failing to execute the "Central Analyzer" ; 

[ERROR] Could not connect to Central search. Analysis failed.
java.io.IOException: Finally failed connecting to Central search. Giving up after 7 tries.
    at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts(CentralAnalyzer.java:363)
    at org.owasp.dependencycheck.analyzer.CentralAnalyzer.analyzeDependency(CentralAnalyzer.java:228)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
    at java.base/java.lang.Thread.run(Thread.java:1570)
Caused by: java.io.IOException: Could not connect to MavenCentral (504): Gateway Time-out
    at org.owasp.dependencycheck.data.central.CentralSearch.searchSha1(CentralSearch.java:232)
    at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts(CentralAnalyzer.java:340)
    ... 8 common frames omitted

Version of dependency-check used latest

Log file

[ERROR] Could not connect to Central search. Analysis failed.
java.io.IOException: Finally failed connecting to Central search. Giving up after 7 tries.
    at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts(CentralAnalyzer.java:363)
    at org.owasp.dependencycheck.analyzer.CentralAnalyzer.analyzeDependency(CentralAnalyzer.java:228)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
    at java.base/java.lang.Thread.run(Thread.java:1570)
Caused by: java.io.IOException: Could not connect to MavenCentral (504): Gateway Time-out
    at org.owasp.dependencycheck.data.central.CentralSearch.searchSha1(CentralSearch.java:232)
    at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts(CentralAnalyzer.java:340)
    ... 8 common frames omitted

To Reproduce Steps to reproduce the behavior:

  1. compile your java jars under target
  2. use the container to analyse the local directory (docker run -it -v $(pwd):/data sh)
  3. execute this ; /usr/share/dependency-check/bin/dependency-check.sh --failOnCVSS 5 --noupdate --out "target" --scan 'target/**/*.jar' ${SUPPRESSION_FILE_PATH:+--suppression "$SUPPRESSION_FILE_PATH"}
  4. Observe error

Expected behavior No error OR errors because of vulnerabilities found in the jars.

Additional context This is ran in a pipeline with internet access, so the error makes no sense to me... I will try to confirm the direct connectivity to the default URI ; 

                .addOption(newOptionWithArg(ARGUMENT.CENTRAL_URL, "url",
                        "Alternative URL for Maven Central Search. If not set the public Sonatype Maven Central will be used."))
cortex35 commented 2 days ago

Same error for us. Since the last time this worked, we haven't made any changes to my knowledge. The error appeared this morning

elafontaine commented 2 days ago

I think this may be an issue on central itself, but I wouldn't be putting my hand in the fire for that. I just did a basic GET on the URI https://search.maven.org/solrsearch/select and it took a good 15 seconds to get an actual response (400) after the TLS was established... This may explain why my jobs are hanging over an hour.

elafontaine commented 2 days ago

I think I hit the bulleye; https://status.maven.org/

aikebah commented 2 days ago

That's right. Already spotted the status-mail flood in my mailbox. I subscribed to their status updates at the time of an earlier longer-during instability of their infrastructure (around the year-turn 2022/2023) and traffic in the last few days was extraordinary high (as also is reflected on the status-page where you see it turn reddish for the recent days and mostly green for the distant past).