Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DependencyChecker gets stuck during scan #5341

Open
jiri-bocan opened this issue Jan 18, 2023 · 2 comments
Open

DependencyChecker gets stuck during scan #5341

jiri-bocan opened this issue Jan 18, 2023 · 2 comments
Labels
bug central

Comments

@jiri-bocan
Copy link

jiri-bocan commented Jan 18, 2023
edited
Loading

Describe the bug
DependencyChecker gets stuck after "[INFO] Finished Jar Analyzer (1 seconds)", i.e., during running the Central Analyzer, in multiple pipelines. During past 2-3 days, pipeline build times started gradually increasing from couple of minutes to over 1 hr. Since the default Azure pipeline timeout is 60 mins, the pipelines are terminated afterwards.

Version of dependency-check used
7.4.4, 8.0.0

Expected behavior
The scan should proceed till the end or should be canceled after certain time of inactivity.

Additional context
Here is a log of a build that finished below 1 hr:

[INFO] 

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.


   About ODC: https://jeremylong.github.io/DependencyCheck/general/internals.html
   False Positives: https://jeremylong.github.io/DependencyCheck/general/suppression.html

💖 Sponsor: https://github.com/sponsors/jeremylong


[INFO] Analysis Started
[INFO] Finished Archive Analyzer (6 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (0 seconds)
[INFO] Finished Central Analyzer (3202 seconds)
[INFO] Finished Assembly Analyzer (0 seconds)
[WARN] No lock file exists - this will result in false negatives; please run `npm install --package-lock`
[WARN] No lock file exists - this will result in false negatives; please run `npm install --package-lock`
[WARN] Analyzing `/workspace/94/s/.../dijit/package.json` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-check
[WARN] Analyzing `/workspace/94/s/.../dojo/package.json` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-check
[WARN] No lock file exists - this will result in false negatives; please run `npm install --package-lock`
[WARN] Analyzing `/workspace/94/s/.../dojox/package.json` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-check
[WARN] No lock file exists - this will result in false negatives; please run `npm install --package-lock`
[WARN] Analyzing `/tmp/.../dijit/package.json` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-check
[WARN] No lock file exists - this will result in false negatives; please run `npm install --package-lock`
[WARN] Analyzing `/tmp/.../dojox/package.json` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-check
[WARN] No lock file exists - this will result in false negatives; please run `npm install --package-lock`
[WARN] Analyzing `/tmp/.../dojo/package.json` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-check
[INFO] Finished Node.js Package Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (3 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (2 seconds)
[INFO] Finished CPE Analyzer (5 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished RetireJS Analyzer (25 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (1 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (13 seconds)
[INFO] Finished Unused Suppression Rule Analyzer (0 seconds)
[INFO] Analysis Complete (3262 seconds)
[INFO] Writing report to: /workspace/94/s/dependency-check-report.csv
[INFO] Writing report to: /workspace/94/s/dependency-check-report.html
This is for /workspace/94/s/...
Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
[INFO] 

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.


   About ODC: https://jeremylong.github.io/DependencyCheck/general/internals.html
   False Positives: https://jeremylong.github.io/DependencyCheck/general/suppression.html

💖 Sponsor: https://github.com/sponsors/jeremylong


[INFO] Analysis Started
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (1 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Finished Unused Suppression Rule Analyzer (0 seconds)
[INFO] Analysis Complete (2 seconds)
[INFO] Writing report to: /workspace/94/s/dependency-check-report.csv
[INFO] Writing report to: /workspace/94/s/dependency-check-report.html
Finishing: Run OWASP scan over each repo
@jiri-bocan jiri-bocan added the bug label Jan 18, 2023
@ryandutton
Copy link

The issue is with Maven Central, there has been an issue since laster Friday, see the status page for more details. It would be good to have timeouts for analysers to tackle scenarios where third-parties have extended periods of downtime.

@aikebah
Copy link
Collaborator

aikebah commented Jan 18, 2023

See other issues.... this will be rooted at the instability of Maven Central search and is influenced by the back-off timeouts triggered by central search failures. Each dependency is attempted 3 times. First retry after a 1500ms delay, second retry after a 3 second delay.
So dependency-check is still slowly moving forward with retrying the failing searches on Maven Central.

@rseeton rseeton mentioned this issue Jan 18, 2023
Closed
@kevin-doyle kevin-doyle mentioned this issue Jan 19, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug central
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jeremylong @aikebah @ryandutton @jiri-bocan