Not being able to authenticate for central.content.url and analyzer.central.url

[drijkersbq]

Describe the bug Our CICD can't access the internet directly. Therefore we use an intermediate Artifactory which can do so. We use this Artifactory with the following properties:

• central.content.url
• analyzer.central.url

However, since version 11.0.0 our current setup became unusable, because it doenst support UserInfo in the URI anymore. Our Artifactory requires authentication, so the URI we set for the 'central.content.url' and 'analyzer.central.url' looks like this: https://USERNAME>:<ENCRYPTED_PASSWORD>@<HOST_NAME/artifactory/repo1/

This worked fine in previous versions before 11.0.0, and we dont see any other option to set authentication for these two url properties with the use of other properties.

Version of dependency-check used 11.0.0 via the owasp/dependency-check-action:latest Docker image

Log file [INFO] Analysis Started [INFO] Finished Archive Analyzer (4 seconds) [INFO] Finished File Name Analyzer (0 seconds) [INFO] Finished Jar Analyzer (1 seconds) [ERROR] Could not connect to Central search. Analysis failed. java.io.IOException: Finally failed connecting to Central search. Giving up after 7 tries. at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts(CentralAnalyzer.java:362) at org.owasp.dependencycheck.analyzer.CentralAnalyzer.analyzeDependency(CentralAnalyzer.java:228) at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131) at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88) at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) at java.base/java.lang.Thread.run(Thread.java:1583) Caused by: org.apache.hc.client5.http.ClientProtocolException: Request URI authority contains deprecated userinfo component at org.apache.hc.client5.http.impl.classic.InternalHttpClient.doExecute(InternalHttpClient.java:177) at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:245) at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:188) at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:162) at org.owasp.dependencycheck.utils.Downloader.fetchAndHandle(Downloader.java:568) at org.owasp.dependencycheck.data.central.CentralSearch.searchSha1(CentralSearch.java:179) at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts(CentralAnalyzer.java:339) ... 8 common frames omitted Caused by: org.apache.hc.core5.http.ProtocolException: Request URI authority contains deprecated userinfo component at org.apache.hc.client5.http.impl.classic.ProtocolExec.execute(ProtocolExec.java:145) at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) at org.apache.hc.client5.http.impl.classic.ContentCompressionExec.execute(ContentCompressionExec.java:150) at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) at org.apache.hc.client5.http.impl.classic.HttpRequestRetryExec.execute(HttpRequestRetryExec.java:113) at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) at org.apache.hc.client5.http.impl.classic.RedirectExec.execute(RedirectExec.java:110) at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) at org.apache.hc.client5.http.impl.classic.InternalHttpClient.doExecute(InternalHttpClient.java:174) ... 14 common frames omitted [WARN] An error occurred while analyzing '/builds/PST/webservices/sequencenumber-webservice/input/findsecbugs-plugin-1.13.0.jar' (Central Analyzer).

To Reproduce Steps to reproduce the behavior:

1. Make use of the owasp/dependency-check-action:latest Docker
2. Set the scan to use custom properties file
3. Add both a custom 'central.content.url' and 'analyzer.central.url' with use of the UserInfo component in the url.
4. Run the scan

Expected behavior The scan can connect to the Artifactory as it could before version 11.0.0

[aikebah]

As you use Artifactory it would seem more logical to use the ArtifactoryAnalyzer and disable the CentralAnalyzer.

(Nevertheless it was unexpected that the URL you used is no longer working as it worked in the past)

[drijkersbq]

@aikebah A bit of background context: When not using the Maven Central analysis we receive a lot of false positive CVE's during our scans. For example when using the argument '-disableCentral'. Enabling the Maven Central analysis makes sure these false positives are detected properly by the scan and they do not get reported.

Now thanks to this issue with the url authentication, the Maven Central analysis does not get run, and we end up with the same false positives as when the Maven Central analysis is disabled.

We have configured the Artifactory analysis as suggested, which does seem to run, because it outputs this line: "[INFO] Finished Artifactory Analyzer (2 seconds)"

However, the same false positives remain. So this Artifactory analysis does not seem to resemble the Maven Central analysis in functionality, by correcting the false positives.

To be sure the Artifactory analysis is actually run we have also tried to run it with invalid credentials in the "analyzer.artifactory.api.username" and "analyzer.artifactory.api.token" properties, resulting in a scan that cannot successfully finish the Artifactory analysis step.

[volkert-fastned]

It also affects the Gradle plugin. I opened a broader issue with this same underlying cause. See #7131