New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OWASP gradle check failed #2104
Comments
Hi, I have the same issue using 5.2.0. It does not occur using 5.0.0 but I cannot use it as it got that other issue #2073. |
I have added additional logging to try and figure out what is going on - this will be included in the next release (point release hopefully this weekend). |
I'm wondering if this is a somewhat different symptom of same underlying cause?
The source for that appears to be at https://github.com/OSSIndex/java-api/blob/master/src/main/java/net/ossindex/common/request/OssIndexHttpClient.java (the plugin version we're using is not the most current and we're testing with the latest version right now). I am using the OSSIndex Gradle plugin in my build when I see that. It started happening around July 28. I am not seeing any other information (besides the rest of the long exception stack that I don't think you'd find meaningful), and definitely not any info about why the server returns 500. I'm presuming the POST request is being made to |
Any chance someone facing this issue can provide the an example project that causes this behavior? |
|
We need a specific example project or dependency that demonstrates this issue to try to resolve. It does appear that this affects golang projects. However, we need additional information to help resolve this specific case with the android project. |
This is not a permanent error. It happens from time to time. It might be also hard to create a test project for this. We have 60+ modules in the project now that could be the key factor with concurrency. |
If we could reduce the number of nested exceptions level then we could probably find the root cause exception. Right now gradle with |
It happens almost every night build for us. Morning job re-run just pass. How to troubleshoot? Would a retry mechanism help? This is frustrating. |
|
Can you run this with the debug logging enabled and look for the entries: |
This is the OLD client and should not have anything to do with the integration ODC has for OSS Index. The client impl is here: and ODC integration is here: https://github.com/jeremylong/DependencyCheck/blob/master/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java |
@emartynov is there any more detailed logs from the ODC usage? The partial stack-trace here is not informative and chances are a full version of that stack wouldn't be any more helpful. What would be helpful would be the equivalent of the A rough guess based on what was said regarding "happens from time to time" and "almost every night build for us. Morning job re-run just pass" though has me wondering if rate-limiting and/or some other environmental factor is causing this fail. I am happy to look closer if more specifics can be provided so that I can see the failure and reproduce it. But presently there is not enough information in this issue to do so. |
People, finally I tried to collect some logging - I can not, I have to get more support from our SRE team. Adding --debug makes our build longer 45 mins timeout. I can not imagine how huge is the log file will be. Any other suggestion until I will ask SRE team to lift the timeout (I don't know what would be sage one) and I will have xx GB log file to analyse and pass by? |
One more error from today:
|
And one more today:
|
These last two reported errors have nothing to do with the original component-report errors and indicate that the H2 database may have been corrupted. As the error above states - if the error persists consider running the purge command. |
Jeremy, sorry for posting all findings in this thread. But I just hopeless the problem is becoming clear. What purge command should I run? Can plugin do it by itself and forcing refetching of the data later? |
|
It is happening at one of the CI machines. So going and running this command there is not really convenient, I event don't know (without investigation) which machine is affected. |
People, this night we saw another cause exception:
|
Yes, see #2222. |
Hello, Around 3 weeks ago we changed our build process to use a local mirror within our company network, using a nightly cron job and curl to download the necessary gzip and meta files from the NIST website. Since this change, not a single CI job failed due to this error message anymore, without us changing anything else regarding the dependency check plugin. So the error seems to be connected to issues/downtimes of the NIST website and switching to (a more reliable) local mirror "solved" it for us. |
Closing this thread as it has been a mashup of different issues. If someone has a specific issue please create a new ticket. |
Describe the bug
We got a crash on CI.
** Version of dependency-check used **
The problem occurs using version 5.1.0 gradle plugin.
** Log file **
Full stacktrace is here.
Nothing special but here is also build log
To Reproduce
No steps to reproduce. Looks like some race condition or gradle cache issues.
Expected behavior
OWASP report doesn't crash.
Additional context
It is an android project that uses AGP 3.4.2 and Gralde 5.5.1. It is a multimodule project and we use gradle cache.
The text was updated successfully, but these errors were encountered: