Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

org.owasp.dependencycheck.analyzer.exception.AnalysisException: Failed to request component-reports Unexpected response; status: 400 #6731

Open
francisATgwn opened this issue Jun 18, 2024 · 4 comments
Open

org.owasp.dependencycheck.analyzer.exception.AnalysisException: Failed to request component-reports Unexpected response; status: 400 #6731

francisATgwn opened this issue Jun 18, 2024 · 4 comments
Labels
bug

Comments

@francisATgwn
Copy link

francisATgwn commented Jun 18, 2024
edited
Loading

Describe the bug
Dependency Check fails with a 400 error when requesting something from the Sonatype OSS Index, leading to fewer CVEs found in the report and warnings in the job log like An error occurred while analyzing requirements.txt (Sonatype OSS Index Analyzer).

Version of dependency-check used
The problem occurs using version 9.2.0 of the CLI -- both docker and brew packaging

Log file
https://gist.github.com/francisATgwn/ece673ba589b75110a3aeecc9354708e

To Reproduce
Steps to reproduce the behavior:

  1. Use dependency check CLI with this CLI invocation
$ /usr/share/dependency-check/bin/dependency-check.sh --dbDriverName org.postgresql.Driver --connectionString "$DEPENDENCY_CHECK_CONNECTION" --dbUser "$DEPENDENCY_CHECK_USER" --dbPassword "$DEPENDENCY_CHECK_PASSWORD" --nvdApiKey "$NIST_NVD_API_KEY" --project $CI_PROJECT_NAME --out . --scan . --enableExperimental --format JUNIT --junitFailOnCVSS 4 --format HTML --failOnCVSS 4 --nodeAuditSkipDevDependencies $( [[ -e dependency-check-suppression.xml ]] && echo '--suppression dependency-check-suppression.xml' || echo '' )

Expected behavior

  • CVEs from Sonatype OSS Index are included in the report
  • [WARN] An error occurred while analyzing '...' (Sonatype OSS Index Analyzer). does not appear in log
  • no HTTP 400 resulting in org.owasp.dependencycheck.analyzer.exception.AnalysisException: Failed to request component-reports appearing in the Analysis Exceptions section of the HTML report

Additional context
This does not happen when run with the 8.4.3 docker image from the same environment on the same project at the same time.

The 8.4.3 CLI invocation is similar to the 9.2.0 invocation:

$ /usr/share/dependency-check/bin/dependency-check.sh --project $CI_PROJECT_NAME --out . --scan . --enableExperimental --format JUNIT --junitFailOnCVSS 4 --format HTML --failOnCVSS 4 --nodeAuditSkipDevDependencies --data dependency-check-data $( [[ -e dependency-check-suppression.xml ]] && echo '--suppression dependency-check-suppression.xml' || echo '' )
@francisATgwn
Copy link
Author

dependency-check-8.4.3-report.html.txt
dependency-check-9.2.0-report.html.txt

@ahrys-serve
Copy link

Having the same problem but only for some projects.
problematic requirements file: requirements.txt

[WARN] An error occurred while analyzing '/Users/[CUT]/Projects/[CUT]/app/init.py' (Sonatype OSS Index Analyzer).
[WARN] An error occurred while analyzing '/Users/[CUT]/Projects/[CUT]/app/domain/api/facilities/init.py' (Sonatype OSS Index Analyzer).
[WARN] An error occurred while analyzing '/Users/[CUT]/Projects/[CUT]/app/domain/api/departments/init.py' (Sonatype OSS Index Analyzer).
[WARN] An error occurred while analyzing '/Users/[CUT]/Projects/[CUT]/app/domain/api/contacts/init.py' (Sonatype OSS Index Analyzer).
[WARN] An error occurred while analyzing '/Users/[CUT]/Projects/[CUT]/app/domain/api/api_keys/init.py' (Sonatype OSS Index Analyzer).
[WARN] An error occurred while analyzing '/Users/[CUT]/Projects/[CUT]/app/domain/api/init.py' (Sonatype OSS Index Analyzer).
[WARN] An error occurred while analyzing '/Users/[CUT]/Projects/[CUT]/app/domain/init.py' (Sonatype OSS Index Analyzer).
[WARN] An error occurred while analyzing '/Users/[CUT]/Projects/[CUT]/app/cli/init.py' (Sonatype OSS Index Analyzer).
[INFO] Finished Sonatype OSS Index Analyzer (4 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Known Exploited Vulnerability Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Finished Unused Suppression Rule Analyzer (0 seconds)
[INFO] Analysis Complete (7 seconds)
[INFO] Writing JSON report to: /Users/[CUT]/Projects/[CUT]/./dependency-check-report.json
[INFO] Writing HTML report to: /Users/[CUT]/Projects/[CUT]/./dependency-check-report.html
[ERROR] Failed to request component-reports
[ERROR] Failed to request component-reports
[ERROR] Failed to request component-reports
[ERROR] Failed to request component-reports
[ERROR] Failed to request component-reports
[ERROR] Failed to request component-reports
[ERROR] Failed to request component-reports
[ERROR] Failed to request component-reports

@francisATgwn
Copy link
Author

I've confirmed that it is a regression between 9.1.0 and 9.2.0.

9.1.0 finds 11 vulnerabilities among 5 dependencies

[INFO] Analysis Started
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Python Package Analyzer (0 seconds)
[INFO] Finished pip Analyzer (0 seconds)
[INFO] Finished Poetry Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Created CPE Index (0 seconds)
[WARN] Hosted Suppressions file is empty or missing - attempting to force the update
[WARN] Empty Hosted Suppression file after update, results may contain false positives already resolved by the DependencyCheck project due to failed download of the hosted suppression file
[INFO] Finished NPM CPE Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (3 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Known Exploited Vulnerability Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Finished Unused Suppression Rule Analyzer (0 seconds)
[INFO] Analysis Complete (5 seconds)
[INFO] Writing HTML report to: /project/./dependency-check-report.html

9.2.0 finds 2 vulnerabilities among 1 dependency:

[INFO] Analysis Started
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Python Package Analyzer (0 seconds)
[INFO] Finished pip Analyzer (0 seconds)
[INFO] Finished Poetry Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Created CPE Index (0 seconds)
[WARN] Hosted Suppressions file is empty or missing - attempting to force the update
[WARN] Empty Hosted Suppression file after update, results may contain false positives already resolved by the DependencyCheck project due to failed download of the hosted suppression file
[INFO] Finished NPM CPE Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (3 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[WARN] An error occurred while analyzing '/project/src/mobilepairing/__init__.py' (Sonatype OSS Index Analyzer).
[WARN] An error occurred while analyzing '/project/requirements.txt' (Sonatype OSS Index Analyzer).
[WARN] An error occurred while analyzing '/project/requirements.txt' (Sonatype OSS Index Analyzer).
[WARN] An error occurred while analyzing '/project/requirements.txt' (Sonatype OSS Index Analyzer).
[WARN] An error occurred while analyzing '/project/requirements.txt' (Sonatype OSS Index Analyzer).
[WARN] An error occurred while analyzing '/project/requirements.txt' (Sonatype OSS Index Analyzer).
[WARN] An error occurred while analyzing '/project/requirements.txt' (Sonatype OSS Index Analyzer).
[WARN] An error occurred while analyzing '/project/requirements.txt' (Sonatype OSS Index Analyzer).
[INFO] Finished Sonatype OSS Index Analyzer (1 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Known Exploited Vulnerability Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Finished Unused Suppression Rule Analyzer (0 seconds)
[INFO] Analysis Complete (6 seconds)
[INFO] Writing JSON report to: /project/./dependency-check-report.json
[ERROR] Failed to request component-reports
[ERROR] Failed to request component-reports
[ERROR] Failed to request component-reports
[ERROR] Failed to request component-reports
[ERROR] Failed to request component-reports
[ERROR] Failed to request component-reports
[ERROR] Failed to request component-reports
[ERROR] Failed to request component-reports

@jellisgwn
Copy link
Contributor

@jeremylong any advice of where to look for this regression? the diff between 9.1.0 ... 9.20 is most dependabot and a new unrelated(?) analyzer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@francisATgwn @jellisgwn @ahrys-serve