search

oss-review-toolkit / ort

A suite of tools to automate software compliance checks.
https://oss-review-toolkit.org
Apache License 2.0
1.6k stars 309 forks source link

SSLHandshakeException with ClearlyDefined.io #8727

Open georg-eckert-zeiss opened 5 months ago

georg-eckert-zeiss commented 5 months ago

Describe the bug

When using ClearlyDefined as curation provider I get a SSLHandshakeException

To Reproduce

Steps to reproduce the behavior:

  1. put a config.yml into your repo under <Repo-Root>/.ort/config/config.yml
  2. add the content below
  3. run docker run -v $PWD/:/project -v $PWD/.ort:/home/ort/.ort --rm ghcr.io/oss-review-toolkit/ort --info analyze -f JSON -i /project/src -o /project/ORT
  4. See error

Expected behavior

No error. Curations are loaded correctly.

Console / log output

Add console and / or log output that shows the error and additional context. No screenshots of plain text please, to keep text searchable.

09:55:28.503 [main] WARN  org.ossreviewtoolkit.plugins.packagecurationproviders.clearlydefined.ClearlyDefinedPackageCurationProvider - Querying curations failed: SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    Caused by: SunCertPathBuilderException: unable to find valid certification path to requested target
09:55:28.504 [main] INFO  org.ossreviewtoolkit.model.utils.ConfigurationResolver - Getting 0 package curation(s) from provider 'ClearlyDefined' took 420.417503ms.
Wrote analyzer result to '/project/ORT/analyzer-result.json' (0.02 MiB) in 505.252100ms.
The analysis took 9.722949524s.
Found 2 project(s) and 2 package(s) in total (not counting excluded ones).
Applied 0 curation(s)

Environment

Output of the ort requirements command:

Default latest docker image.

 ______________________________
/        \_______   \__    ___/ The OSS Review Toolkit, version 22.6.0,
|    |   | |       _/ |    |    built with JDK 11.0.23+9, running under Java 17
|    |   | |    |   \ |    |    Executing 'requirements' as 'ort' on Linux
\________/ |____|___/ |____|    with 12 CPUs and a maximum of 3954 MiB of memor

Environment variables:
ORT_CONFIG_DIR = /home/ort/.ort/config
ORT_DATA_DIR = /home/ort/.ort
HOME = /home/ort
JAVA_HOME = /opt/java/openjdk
ANDROID_HOME = /opt/android-sdk

Looking for ORT configuration in the following file:
        /home/ort/.ort/config/config.yml (does not exist)

AdviceProviderFactory plugins:
        * GitHubDefects
        * NexusIQ
        * OssIndex
        * OSV
        * VulnerableCode

OrtCommand plugins:
        * advise
        * analyze
        * compare
        * config
        * download
        * evaluate
        * migrate
        * notify
        * report
        * requirements
        * scan
        * upload-curations
        * upload-result-to-postgres
        * upload-result-to-sw360

PackageConfigurationProviderFactory plugins:
        * DefaultDir
        * Dir
        * OrtConfig

PackageCurationProviderFactory plugins:
        * ClearlyDefined
        * DefaultDir
        * DefaultFile
        * File
        * OrtConfig
        * SW360

PackageManagerFactory plugins:
        * Bazel
        * Bower
        * Bundler
        * Cargo
        * Carthage
        * CocoaPods
        * Composer
        * Conan
        * GoMod
        * Gradle
        * GradleInspector
        * Maven
        * NPM
        * NuGet
        * PIP
        * Pipenv
        * PNPM
        * Poetry
        * Pub
        * SBT
        * SpdxDocumentFile
        * Stack
        * SwiftPM
        * Unmanaged
        * Yarn
        * Yarn2

Reporter plugins:
        * CtrlXAutomation
        * CycloneDx
        * DocBookTemplate
        * EvaluatedModel
        * FossId
        * FossIdSnippet
        * GitLabLicenseModel
        * HtmlTemplate
        * ManPageTemplate
        * Opossum
        * PdfTemplate
        * PlainTextTemplate
        * SpdxDocument
        * StaticHtml
        * TrustSource
        * WebApp

ScannerWrapperFactory plugins:
        * Askalono
        * BoyterLc
        * FossId
        * Licensee
        * ScanCode
        * SCANOSS

VersionControlSystem plugins:
        * Git
        * GitRepo
        * Mercurial
        * Subversion

Scanners:
        - Askalono: Requires 'askalono' in no specific version. Tool not found.
        - BoyterLc: Requires 'lc' in no specific version. Tool not found.
        - Licensee: Requires 'licensee' in no specific version. Tool not found.
        * ScanCode: Requires 'scancode' in version >=3.0.0. Found version 32.1.0.

PackageManagers:
        * Bazel: Requires 'bazel' in version >=7.0.0. Found version 7.0.1.
        * Bower: Requires 'bower' in version >=1.8.8. Found version 1.8.14.
        * Cargo: Requires 'cargo' in no specific version. Found version 1.72.0.
        * CocoaPods: Requires 'pod' in version >=1.11.0. Found version 1.15.2.
        * Composer: Requires 'composer' in version >=1.5.0. Found version 2.2.23.
        * Conan: Requires 'conan' in version >=1.18.0. Found version 1.63.0.
        * GoMod: Requires 'go' in version >=1.21.1. Found version 1.22.2.
        * Npm: Requires 'npm' in version >=6.0.0 and <11.0.0. Found version 10.5.0.
        + NuGetInspector: Requires 'nuget-inspector' in no specific version. Could not determine the version.
        * Pipenv: Requires 'pipenv' in version >=2018.10.9. Found version 2023.12.1.
        * Pnpm: Requires 'pnpm' in version >=5.0.0 and <9.0.0. Found version 8.10.3.
        * Poetry: Requires 'poetry' in no specific version. Found version 1.8.3.
        * Pub: Requires 'dart' in version >=2.10.0. Found version 2.18.4.
        * PythonInspector: Requires 'python-inspector' in version >=0.9.2. Found version 0.10.0.
        + Sbt: Requires 'sbt' in version >=0.13.0. Could not determine the version.
        * Stack: Requires 'stack' in version >=2.1.1. Found version 2.15.7.
        * SwiftPm: Requires 'swift' in no specific version. Found version 5.9.2.
        * Yarn: Requires 'yarn' in version >=1.3.0 and <1.23.0. Found version 1.22.19.

VersionControlSystems:
        * GitCommand: Requires 'git' in version >=2.29.0. Found version 2.34.1.
        * GitRepo: Requires 'repo' in no specific version. Found version 2.45 (launcher).
        * MercurialCommand: Requires 'hg' in no specific version. Found version 6.7.3.

And specify (relevant parts of) your ORT configuration (config.yml):

ort:
  enableRepositoryPackageConfigurations: true
  enableRepositoryPackageCurations: true

  packageCurationProviders:
  - type: ClearlyDefined
    options:
      serverUrl: 'https://api.clearlydefined.io'
      minTotalLicenseScore: 80
sschuberth commented 5 months ago

This

Caused by: ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    Caused by: SunCertPathBuilderException: unable to find valid certification path to requested target

means that the JVM that runs ORT is lacking the proper SSL certificates. The Docker image build should actually ensure to have up-to-date SSL certifictes (also see scripts/import_certificates.sh), so we need to look what's going on.

sschuberth commented 1 week ago

@georg-eckert-zeiss, can you re-test with a recent ORT release as we've switched to Java 21 which probably comes with updated certificates?