Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

org.owasp:dependency-check-maven:6.2.0 DatabaseException: Unable to connect to the database #3416

Closed
k-d-w opened this issue Jun 2, 2021 · 7 comments
Milestone

Comments

@k-d-w
Copy link

k-d-w commented Jun 2, 2021

Maven release with embedded dependency check fails after upgrading the dependency-check plugin.

I have bumped the dependency-check-maven plugin from version 5.3.2 to 6.2.0
I have also purged the DB (internal H2) as stated in the release notes.
I have executed both:

  • org.owasp:dependency-check-maven:6.2.0:purge
  • org.owasp:dependency-check-maven:5.3.2:purge
    I also tried deleting the data directly on my Jenkins server at
  • .m2/repository/org/owasp/dependency-check-data/4.0
  • .m2/repository/org/owasp/dependency-check-data/5.0

My maven release step keeps failing with

16:23:36  [INFO] [INFO] Generating "dependency-check:aggregate" report --- dependency-check-maven:6.2.0:aggregate
16:23:37  [INFO] [INFO] ------------------------------------------------------------------------
16:23:37  [INFO] [INFO] BUILD FAILURE
16:23:37  [INFO] [INFO] ------------------------------------------------------------------------
16:23:37  [INFO] [INFO] Total time:  15.800 s
16:23:37  [INFO] [INFO] Finished at: 2021-06-02T14:23:37Z
16:23:37  [INFO] [INFO] ------------------------------------------------------------------------
16:23:37  [INFO] [ERROR] Failed to execute goal org.apache.maven.plugins:maven-site-plugin:3.9.1:site (default-site) on project abc-parent-aws: Error generating dependency-check-maven:6.2.0:aggregate report: Fatal exception(s) analyzing abc-parent-aws: One or more exceptions occurred during analysis:
16:23:37  [INFO] [ERROR] 	DatabaseException: Unable to connect to the database - if this error persists it may be due to a corrupt database. Consider running `purge` to delete the existing database
16:23:37  [INFO] [ERROR] 		caused by DatabaseException: Unable to connect to the database
16:23:37  [INFO] [ERROR] 		caused by SQLException: No suitable driver found for jdbc:h2:file:/var/jenkins_home/.m2/repository/org/owasp/dependency-check-data/5.0/odc;AUTOCOMMIT=ON;CACHE_SIZE=65536;RETENTION_TIME=1000;MAX_COMPACT_TIME=10000;

I am executing a mvn clean release:clean release:prepare release:perform
I see a warning during the mvn release:prepare step:

16:20:07  [INFO] [INFO] --- dependency-check-maven:6.2.0:check (default) @ abc-parent-aws ---
16:20:10  [INFO] [INFO] Checking for updates
16:20:18  [INFO] [INFO] NVD CVE requires several updates; this could take a couple of minutes.
16:20:18  [INFO] [INFO] Download Started for NVD CVE - 2002
16:20:18  [INFO] [INFO] Download Started for NVD CVE - 2003
16:20:18  [INFO] [INFO] Download Complete for NVD CVE - 2003  (659 ms)
16:20:18  [INFO] [INFO] Processing Started for NVD CVE - 2003
16:20:18  [INFO] [INFO] Download Started for NVD CVE - 2004
16:20:18  [INFO] [INFO] Download Complete for NVD CVE - 2002  (853 ms)
16:20:18  [INFO] [INFO] Download Started for NVD CVE - 2005
16:20:18  [INFO] [INFO] Processing Started for NVD CVE - 2002
16:20:18  [INFO] WARNING: An illegal reflective access operation has occurred
16:20:18  [INFO] WARNING: Illegal reflective access by com.fasterxml.jackson.module.afterburner.util.MyClassLoader (file:/var/jenkins_home/.m2/repository/com/fasterxml/jackson/module/jackson-module-afterburner/2.12.3/jackson-module-afterburner-2.12.3.jar) to method java.lang.ClassLoader.findLoadedClass(java.lang.String)
16:20:18  [INFO] WARNING: Please consider reporting this to the maintainers of com.fasterxml.jackson.module.afterburner.util.MyClassLoader
16:20:18  [INFO] WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
16:20:18  [INFO] WARNING: All illegal access operations will be denied in a future release
16:20:19  [INFO] [INFO] Download Complete for NVD CVE - 2004  (755 ms)
.....


16:22:25  [INFO] [INFO] Begin database maintenance
16:22:47  [INFO] [INFO] Updated the CPE ecosystem on 118485 NVD records
16:22:47  [INFO] [INFO] Removed the CPE ecosystem on 3473 NVD records
16:22:49  [INFO] [INFO] Cleaned up 2 orphaned NVD records
16:22:49  [INFO] [INFO] End database maintenance (24012 ms)
16:22:49  [INFO] [INFO] Begin database defrag
16:22:54  [INFO] [INFO] End database defrag (4534 ms)
16:22:54  [INFO] [INFO] Check for updates complete (163325 ms)

It then proceeds running a succesfull analysis

16:22:54  [INFO] [INFO] Analysis Started
16:22:54  [INFO] [INFO] Finished File Name Analyzer (0 seconds)
16:22:54  [INFO] [INFO] Finished Dependency Merging Analyzer (0 seconds)
16:22:54  [INFO] [INFO] Finished Version Filter Analyzer (0 seconds)
16:22:54  [INFO] [INFO] Finished Hint Analyzer (0 seconds)
16:22:58  [INFO] [INFO] Created CPE Index (3 seconds)
16:22:58  [INFO] [INFO] Finished CPE Analyzer (4 seconds)
16:22:58  [INFO] [INFO] Finished False Positive Analyzer (0 seconds)
16:22:58  [INFO] [INFO] Finished NVD CVE Analyzer (0 seconds)
16:22:58  [INFO] [INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
16:22:58  [INFO] [INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
16:22:58  [INFO] [INFO] Finished Dependency Bundling Analyzer (0 seconds)
16:22:58  [INFO] [INFO] Analysis Complete (4 seconds)
16:22:58  [INFO] [INFO] Writing report to: /var/jenkins_home/workspace/abc-parent-aws-production-pipeline/target/dependency-check-report.html
16:22:59  [INFO] [INFO] ------------------------------------------------------------------------
16:22:59  [INFO] [INFO] BUILD SUCCESS
16:22:59  [INFO] [INFO] ------------------------------------------------------------------------

But in the subsequent mvn release:performstep, the site generation fails with the error listed in the beginning of this Issue.

16:23:34  [INFO] [INFO] --- maven-site-plugin:3.9.1:site (default-site) @ abc-parent-aws ---
16:23:36  [INFO] [INFO] configuring report plugin org.owasp:dependency-check-maven:6.2.0
16:23:36  [INFO] [INFO] 1 report configured for dependency-check-maven:6.2.0: aggregate
16:23:36  [INFO] [INFO] configuring report plugin org.apache.maven.plugins:maven-project-info-reports-plugin:3.1.1
16:23:36  [INFO] [INFO] 15 reports detected for maven-project-info-reports-plugin:3.1.1: ci-management, dependencies, dependency-info, dependency-management, distribution-management, index, issue-management, licenses, mailing-lists, modules, plugin-management, plugins, scm, summary, team
16:23:36  [INFO] [INFO] Rendering site with default locale English (en)
16:23:36  [INFO] [INFO] Rendering content with org.apache.maven.skins:maven-default-skin:jar:1.3 skin.
16:23:36  [INFO] [INFO] Generating "dependency-check:aggregate" report --- dependency-check-maven:6.2.0:aggregate
16:23:37  [INFO] [INFO] ------------------------------------------------------------------------
16:23:37  [INFO] [INFO] BUILD FAILURE
@k-d-w
Copy link
Author

k-d-w commented Jun 2, 2021

For reference, the dependency-checker is triggered by a profile

<profile>
            <id>owasp-dep-check</id>
            <reporting>
                <plugins>
                    <plugin>
                        <groupId>org.owasp</groupId>
                        <artifactId>dependency-check-maven</artifactId>
                        <reportSets>
                            <reportSet>
                                <reports>
                                    <report>aggregate</report>
                                </reports>
                            </reportSet>
                        </reportSets>
                    </plugin>
                </plugins>
            </reporting>

            <build>
                <plugins>
                    <plugin>
                        <groupId>org.owasp</groupId>
                        <artifactId>dependency-check-maven</artifactId>
                        <executions>
                            <execution>
                                <goals>
                                    <goal>check</goal>
                                </goals>
                            </execution>
                        </executions>
                    </plugin>
                </plugins>
            </build>
        </profile>

@albuch
Copy link
Contributor

albuch commented Jun 2, 2021

I'm seeing the same in our tests for the sbt plugin. Could it be this change that removed the default driver name for h2?

@jeremylong
Copy link
Owner

@albuch it's always possible - but in reality using a JDBC4 compliant driver should not require calling class.forName("org.h2.Driver"). https://mkyong.com/jdbc/jdbc-class-forname-is-no-longer-required/

@jeremylong
Copy link
Owner

I figured out one thing that might be causing this. I re-added the driver registration on all paths. Apparently, this is done during the update phase - but was not being used in the analysis phase.

@VolhaRS
Copy link

VolhaRS commented Jun 4, 2021

We have the same issue. We use the last version of the plugin and have the same error at any time.

@jeremylong
Copy link
Owner

@albuch any chance you can test with the latest snapshot? I am unable to reproduce the issue locally or on the CI...

@albuch
Copy link
Contributor

albuch commented Jun 5, 2021

@jeremylong no more errors with v6.2.1-SNAPSHOT, my integration tests are working again.

@jeremylong jeremylong added this to the 6.2.1 milestone Jun 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants