search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.38k stars 1.27k forks source link

Owasp 11.0 #7071

Open Xezol opened 2 hours ago

Xezol commented 2 hours ago

Hi!

All our pipelines for owasp i azure devops failed tonight after 11.0.0 was released. I got this error C:\Windows\system32\cmd.exe /D /S /C "D:\a_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\6.2.3\dependency-check\bin\dependency-check.bat --version" Error: A JNI error has occurred, please check your installation and try again Exception in thread "main" java.lang.UnsupportedClassVersionError: org/owasp/dependencycheck/App has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0

So I saw this issue https://github.com/dependency-check/azuredevops/issues/169

and tried to adding use java step beforehand the check runs. steps:

Now I run into this error instead

" C:\Windows\system32\cmd.exe /D /S /C "D:\a_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\6.2.3\dependency-check\bin\dependency-check.bat --version" Dependency-Check Core version 11.0.0 Searching for left over lock files... found no left over lock files, continuing... C:\Windows\system32\cmd.exe /D /S /C "D:\a_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\6.2.3\dependency-check\bin\dependency-check.bat --project DBUpdate --out D:\a_temp\dependency-scan-results --scan D:\a\1\s --format ALL --updateonly --data D:\a\1\cvedata" [ERROR] Incompatible or corrupt database found. To resolve this issue please remove the existing database by running purge [ERROR] Incompatible or corrupt database found; run the purge command to resolve the issue org.owasp.dependencycheck.data.nvdcve.DatabaseException: Incompatible or corrupt database found; run the purge command to resolve the issue at org.owasp.dependencycheck.data.nvdcve.DatabaseManager.initialize(DatabaseManager.java:205) at org.owasp.dependencycheck.data.nvdcve.DatabaseManager.(DatabaseManager.java:125) at org.owasp.dependencycheck.data.nvdcve.CveDB.(CveDB.java:291) at org.owasp.dependencycheck.Engine.openDatabase(Engine.java:1025) at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:896) at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:878) at org.owasp.dependencycheck.App.runUpdateOnly(App.java:431) at org.owasp.dependencycheck.App.run(App.java:175) at org.owasp.dependencycheck.App.main(App.java:90) Dependency Check completed with exit code 9. Dependency Check reports: [] Dependency Check failed with message "Dependency Check exited with an error code (exit code: 9)."

[error]Dependency Check exited with an error code (exit code: 9).

"

Should i purge the database?

Xezol commented 1 hour ago

I tried --purging the database and then redownloading it. We'll see when it's done whether it works after that :)

asyedcloud commented 1 hour ago

we call dependency-check-build-task@6 in azure devops and pipelines are failing with message "##[error]Dependency Check exited with an error code (exit code: 13)"

davidweisgerber commented 43 minutes ago

Another problem / question: It now needs a Java version 11 but we need to keep at version 8 at the moment. Would it be possible to stay at a lower Java version with this tool? I guess it is important for a number of legacy applications.