-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiple "AnalysisException: OSS Index rate limit exceeded" errors on plugin execution #4538
Comments
We also have these issues. In our pipelines and can also be reproduced locally. There was a change recently, maybe related to that? Also tried out the same POST (with the same data) calls on their API manually: https://ossindex.sonatype.org/rest Also the curl to the API from a local machine works fine. cheers |
Happening for me as well. Also, all the plugin versions have started giving false positives for multiple jar files: spring-boot-2.6.8.jar (pkg:maven/org.springframework.boot/spring-boot@2.6.8, cpe:2.3:a:vmware:spring_boot:2.6.8:*:*:*:*:*:*:*, cpe:2.3:a:vmware:spring_framework:2.6.8:*:*:*:*:*:*:*) : CVE-2013-4152, CVE-2013-7315, CVE-2014-0054, CVE-2016-1000027, CVE-2022-22965, CVE-2022-22968
spring-core-5.3.20.jar (pkg:maven/org.springframework/spring-core@5.3.20, cpe:2.3:a:pivotal_software:spring_framework:5.3.20:*:*:*:*:*:*:*, cpe:2.3:a:springsource:spring_framework:5.3.20:*:*:*:*:*:*:*, cpe:2.3:a:vmware:spring_framework:5.3.20:*:*:*:*:*:*:*, cpe:2.3:a:vmware:springsource_spring_framework:5.3.20:*:*:*:*:*:*:*) : CVE-2016-1000027 This has now blocked all our maven builds. Can we please have a solution to this? |
@ankurga The NVD database was updated, see e.g. spring-projects/spring-framework#24434 (comment) - you have to suppress it by yourself. |
@danielbraeutigam thanks, but we have many projects dependent on that. So, we need to update for all of them? |
No, you just have to add it to your suppression file as described in https://jeremylong.github.io/DependencyCheck/general/suppression.html |
We are experiencing almost the same issue, only the check fails on a HTTP 500 or NullPointerException from OSS Index. HTTP 500:
NullPointerException:
I think this is also related to the recent improvements Sonatype applied to OSS Index: https://ossindex.sonatype.org/updates-notice.
|
We are also experiencing this same issue. I did some investigating and this seems to be caused by handling of the response failing. That in turn results in the same request being sent on every dependency until rate limit is reached.
There is a large amount of these failed requests until eventually only rate-limit is logged. |
I'm not sure if suppression is related to this. These are not "false positives", they are errors: cheers |
@danielbraeutigam @ankurga : The problem you are discussing is not related to the issue reported so lets take it separately. As of now all projects using owasp-dependency-check plugin with version 6.X.X and 7.1.0 don't build. Something has recently changed at SONATYPE. I can reproduce the same locally as well on our CI platforms.
On debug we see:
The URL https://ossindex.sonatype.org/api/v3/component-report is throwing 429 (Rate limiting) |
It looks like sonatype have started rate limiting more aggressively for anonymous accounts. One solution is to register for an account with sonatype and supply a username and password / api key e.g. for gradle users
|
@achintSatsangi https://ossindex.sonatype.org/updates-notice |
I'm not sure if this is the real issue.
cheers |
Agreed, it didn't look like that to me either, since I was getting exactly the same errors as you. However I can confirm that for me supplying credentials to the oss index then meant that I stopped getting the null pointer exception and rate limited exceeded errors and the check then succeeded. |
This problem looks to me like the Sonatype provided client isn't handling the responses correctly. An issue should probably be raised there as-well. |
When using
|
I am experiencing the same issue since this morning with the plugin. { |
As I can see |
According to the doc https://ossindex.sonatype.org/doc/rest |
Is it possible to disable it? Or use a local nexus server instead? |
Nope. That is not the issue here. |
An additional thing: when I run the same check locally (not on GitLab), I am getting the following NPEs: UPDATE: these NPEs are also present in the GitLab pipeline.
|
You can disable the OSS Index Analyzer entirely. Check the docs for how. |
Yes you can disable the analyzer using |
I wouldn't recommend disabling the oss indexer though, we are currently getting four failures with the indexer enabled, but none with it disabled. I would instead recommend registering with oss index and setting a username and password / api key. |
How to accomplish this with maven? (which properties to set / provide) cheers |
Looks like currently you cannot register on ossindex.sonatype getting a 500 error |
registering works; you should receive an email with a confirmation link .... |
got it working. Provide e.g. and in your <settings>
<servers>
<server>
<id>owasp-oss-index</id>
<username>foo</username>
<password>bla</password>
</server>
</servers>
</settings> @petergphillips can confirm, that with a registered user account it works Thanks for the hints! And yes, it seems like the rate limit to 128 modules per request is new cheers |
see #4535 (comment) |
Also had to disable .net assembly analysis (through lombok bundled windows executables) explicitly to prevent analysis failure once OSS index analyzer disabled. For OSS index breaking changes see: jeremylong/DependencyCheck#4539 and probably next step to sign up Sonatype user: jeremylong/DependencyCheck#4538
We too have this issue since today. Registring with ossindex.sonatype.org and using that username/password with command line options --ossIndexUsername and --ossIndexPassword solved the issue. |
But how come when I disable |
If anyone comes here because their pipeline in azure devops is failing, just follow these two steps:
additionalArguments: | |
Fix mentioned in #4535 (comment) worked for me now without changing any configuration. |
Same for me. Problem solved. Thanks. |
Any possibility to not use user and password in clear? Any token?
…On Wed, May 25, 2022 at 4:02 PM rvgiesen ***@***.***> wrote:
If anyone comes here because their pipeline in azure devops is failing,
just follow these two steps:
- register a free account at https://ossindex.sonatype.org/
- add your new account info to your pipeline yaml file in the inputs
part, f.e.:
additionalArguments: |
--ossIndexUsername YOUREMAIL --ossIndexPassword YOURPASS
—
Reply to this email directly, view it on GitHub
<#4538 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAHXVHPTFSSJZDLFMCZNXJDVLYXI7ANCNFSM5W4JRWLA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
--
Carlo Reggiani
about.me/reggianicarlo
[image: Carlo Reggiani on about.me]
<http://about.me/reggianicarlo>
|
OSSI supports generating an API Token https://ossindex.sonatype.org/doc/api-token |
People are looking for an immediate solution: set ossindexAnalyzerEnabled to false in your scans. Then, work on registering a username and password to authenticate with OSS. |
@ctnelson1997 these issues should be resolved now |
Just so I understand correctly: The rate limiting issues are fixed on OSS Index so a user account is not needed anymore? By the way, after I specified a user and password, a few I assume they're only visible to logged in users, most don't have CVE numbers and quite a few are not fixed yet. For example, https://ossindex.sonatype.org/component/pkg:maven/org.terracotta/offheap-store has the same vulnerability in all versions, https://ossindex.sonatype.org/vulnerability/sonatype-2020-0267. |
@Subhalakshmi1986 Looks like it expired a few hours ago, so a new issue. |
I highly recommend making authenticated requests so that you receive the higher rate limit but also so that you get the SONATYPE-* vulnerabilities. These are vulnerabilities discovered by our large team of human researchers. Most often these are because the public sources are incorrect (they report something has been fixed but our testing shows that it hasn't actually been fixed). |
@jeremylong @jlstephens89 I think this one can now be considered resolved with the updates/fixes made in the OSSINDEX? Or are there still pending issues related to this ticket? |
I am facing this issue now, seems to be same behaviour: ...
|
@Redirts |
We also get rate limit errors even when setting a ossIndex username/password :( This started about 2 week ago. bevore everything was fine. We use org.owasp.dependencycheck gradle plugin in version 7.4.1 / 7.3.2! Other older versions I have not tested, but it was working with 7.3.2 ~3 weeks before. I get |
@xtermi2 For the http 500 cases it would be worthwhile to find out for which of your dependencies that happens as it apears to indicate an issue at OSSINDEX server-side (there was recently a report for an old version of Jgroups that triggers a 500 at OSSINDEX API (#5154) which has already been raised with Sonatype, but maybe your cases concern other libraries that have a server-side issue on OSSINDEX side) Regarding the 429-cases like mentioned before in this thread: double-check your caching configuration on the build server. ODC uses OSSINDEX's apiclient that has built-in caching features to avoid flooding their API, but it requires you to ensure that different invocations of ODC use the same datadirectory (which among others contains the OSSINDEX cached data and the CVE database) |
|
Don't know the amount of logging that gradle plugin can do. The Jgroups case I referred to I was able to quickly reproduce and see all the detail by enabling debug of the maven plugin (
|
@aikebah I wonder if we should add rate limiting to the client - to slow down the requests a bit to avoid this issue? I've been experimenting with options for the NVD API when we convert (see vuln-tools/.../RateLimitedClient.java and a slightly modified version at cdn-jscan/.../RateLimitedClient.java). Thoughts? |
My gut feel is that something's weird in Node analysis... I saw dependency counts in the tenthousands range when I trialled a dummy project created from https://github.com/facebook/create-react-app NPM lists package counts in the thousands, but ODC counts in the tenthousands (somewhere around 26k, with 16k unique) I can imagine that such huge counts if they leak to the OSSindex inquiry will overload in any case (with 128 deps per request you'd need an excessive amount of calls). In general rate-limited client is a good idea (although I don't know if we could plug it into their API-client to perform the requests), but my gut feel is that we should first plug the dependencycheck-hole, because I cannot reasonably believe that a react app has 26k depended-on NPM packages |
Just your typical node developer going to work: I agree there is likely something wrong (I did "recently" fix a duplication problem in npm - see #3983). Also, the recent fixes around the node_modules directory might have corrected some of the problem... But there is likely still an underlying issue - but some npm projects due have 10k+ dependencies. |
Just had a thought - is the retireJS analyzer causing this issue on npm
projects?
…On Sat, Dec 24, 2022, 8:45 AM Hans Aikema ***@***.***> wrote:
My gut feel is that something's weird in Node analysis... I saw dependency
counts in the tenthousands range when I trialled a dummy project created
from https://github.com/facebook/create-react-app
NPM lists package counts in the thousands, but ODC counts in the
tenthousands (somewhere around 26k, with 16k unique)
I can imagine that such huge counts if they leak to the OSSindex inquiry
will overload in any case (with 128 deps per request you'd need an
excessive amount of calls).
In general rate-limited client is a good idea (although I don't know if we
could plug it into their API-client to perform the requests), but my gut
feel is that we should first plug the dependencycheck-hole, because I
cannot reasonably believe that a react app has 26k depended-on NPM packages
—
Reply to this email directly, view it on GitHub
<#4538 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGSVQVPIGEHGBIPYTJE3W3WO35ALANCNFSM5W4JRWLA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
I've just tested this again and I can reproduce it with simply the request POST https://ossindex.sonatype.org/api/v3/component-report
https://issues.sonatype.org/browse/OSSIPUB-37 So I think there are 2 issues, |
@msillence I've reproduced your issue and have passed it on to the team that maintains OSSI at Sonatype. Thanks for reporting this. |
Starting today (25.05.2022), multiple errors started to fail on each execution. No plugin version changed (was and remains the
7.1.0
version).Error examples (an error is failing for each of the dependencies):
There are actually the NPEs that are probably the root cause:
etc.
The text was updated successfully, but these errors were encountered: