-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DC does not work anymore after reading older jgroups library 2.6.21.Final #5154
Comments
The error appears to have nothing to do with JGroups; rather your connection to the OSS Index is failing: https://gist.github.com/rschnitk/122e8aaca684bf77b3f951a834f58cec#file-log-L738-L752 ODC, by default, does use the OSS Index to obtain additional information about vulnerable dependencies. Not sure if you are behind a proxy or what is causing the issue. At the cost of additional FP/FN you can disable the OSS Index Analyzer. |
Surprisingly, the scan of over 300 libs in the application works if you remove this one library (jgroups) beforehand. The JGroups scan seems to affect the rest somehow though. |
Its likely a rate limiting issue. |
only "--disableOssIndex" helps. thank you. |
I don't think this is a rate limiting issue, I can reproduce with a pom that only has a dependency on jgroups and nothing else. I have tried both with anonymous access to oss index and with a login, but the result are the same. Reproducer pom (renamed to txt because it wouldn't let me upload a XML) |
I also run into this issue and it appears that it is caused by a jgroups package. I caught the POST request to ossindex.sonatype.org using ZAP proxy, and tried to remove the packages that didn't cause the error. Finally, I ended up with the following request:
It responds with the following payload: Also, when searching for package There is also no difference between doing an anonymous request or using basic authentication. It looks like there's something wrong in the oss index data for this particular package. |
The OSS Index API returns a 500 error when querying JGroups. However, further requests can be executed via browser and these are successful with status 200. The question is why DependencyCheck keeps showing an error 500 for all JAR files if only this one library is present. The tool somehow keeps the status error. |
Describe the bug
Scan some libraries, one library is jgroups 2.6.1 from maven repository "https://repository.jboss.org/nexus/content/repositories/releases/org/jgroups/jgroups/2.6.21.Final/". For all other libraries you will get:
An error occurred while analyzing 'xxx'
Version of dependency-check used
The problem occurs using several 7.x version (latest 7.4.1), CLI and Gradle Plugin
Log file
https://gist.github.com/rschnitk/122e8aaca684bf77b3f951a834f58cec
To Reproduce
Steps to reproduce the behavior:
Expected behavior
jgroups 2.6.21.Final is old. But it's annoying when the tool stops working.
The text was updated successfully, but these errors were encountered: