DC does not work anymore after reading older jgroups library 2.6.21.Final

[rschnitk]

Describe the bug
Scan some libraries, one library is jgroups 2.6.1 from maven repository "https://repository.jboss.org/nexus/content/repositories/releases/org/jgroups/jgroups/2.6.21.Final/". For all other libraries you will get:
An error occurred while analyzing 'xxx'

Version of dependency-check used
The problem occurs using several 7.x version (latest 7.4.1), CLI and Gradle Plugin

Log file
https://gist.github.com/rschnitk/122e8aaca684bf77b3f951a834f58cec

To Reproduce
Steps to reproduce the behavior:

1. Download jgroups 2.6.21.Final
2. Add some other jar libraries
3. Scan this directory
4. See error

Expected behavior
jgroups 2.6.21.Final is old. But it's annoying when the tool stops working.

[jeremylong]

The error appears to have nothing to do with JGroups; rather your connection to the OSS Index is failing: https://gist.github.com/rschnitk/122e8aaca684bf77b3f951a834f58cec#file-log-L738-L752

ODC, by default, does use the OSS Index to obtain additional information about vulnerable dependencies. Not sure if you are behind a proxy or what is causing the issue. At the cost of additional FP/FN you can disable the OSS Index Analyzer.

[rschnitk]

Surprisingly, the scan of over 300 libs in the application works if you remove this one library (jgroups) beforehand. The JGroups scan seems to affect the rest somehow though.

[jeremylong]

Its likely a rate limiting issue.

[rschnitk]

only "--disableOssIndex" helps. thank you.

[idainfront]

I don't think this is a rate limiting issue, I can reproduce with a pom that only has a dependency on jgroups and nothing else.

I have tried both with anonymous access to oss index and with a login, but the result are the same.
Seems like we are getting a 500 response.

Reproducer pom (renamed to txt because it wouldn't let me upload a XML)
pom.txt

[stiekemaj]

I also run into this issue and it appears that it is caused by a jgroups package. I caught the POST request to ossindex.sonatype.org using ZAP proxy, and tried to remove the packages that didn't cause the error. Finally, I ended up with the following request:

curl --location --request POST 'https://ossindex.sonatype.org/api/v3/component-report' \ --header 'User-Agent: dependency-check/7.4.4 (Mac OS X; 10.16; x86_64; 1.8.0_171)' \ --header 'Content-Type: application/vnd.ossindex.component-report-request.v1+json' \ --header 'Accept: application/vnd.ossindex.component-report.v1+json' \ --header 'Host: ossindex.sonatype.org' \ --header 'Connection: keep-alive' \ --header 'Content-Length: 64' \ --data-raw '{"coordinates":["pkg:maven/org.jgroups/jgroups@2.12.1.3.Final"]}'

It responds with the following payload:
{"code":500,"message":"There was an error processing your request. It has been logged (ID 58d9d131d523c191)."}

Also, when searching for package pkg:maven/org.jgroups/jgroups@2.12.1.3.Final by using the ossindex interface, the same error occurs: https://ossindex.sonatype.org/search

There is also no difference between doing an anonymous request or using basic authentication. It looks like there's something wrong in the oss index data for this particular package.

[rschnitk]

The OSS Index API returns a 500 error when querying JGroups. However, further requests can be executed via browser and these are successful with status 200.

The question is why DependencyCheck keeps showing an error 500 for all JAR files if only this one library is present. The tool somehow keeps the status error.