[JIRA] (JENKINS-58402) On Windows slaves, any call of dependency check tool results in "The input line is too long" error

25 views
Skip to first unread message

c.amshoff@gmx.de (JIRA)

unread,
Jul 9, 2019, 6:43:02 AM7/9/19
to jenkinsc...@googlegroups.com
Christoph Amshoff created an issue
 
Jenkins / Bug JENKINS-58402
On Windows slaves, any call of dependency check tool results in "The input line is too long" error
Issue Type: Bug Bug
Assignee: Unassigned
Components: dependency-check-jenkins-plugin
Created: 2019-07-09 10:42
Environment: dependency-check 5.0, Windows
Priority: Critical Critical
Reporter: Christoph Amshoff

We defined Jenkins Global Tool for dependency-check-5.1.0 with auto install. When executing a job on a Windows slave, the tool gets installed (in folder c:\jenkins-slave\tools\org.jenkinsci.plugins.DependencyCheck.tools.DependencyCheckInstallation\dependency-check-5.1.0), but any call of Dependency Check results in errors:

[DependencyCheck] The input line is too long.
[DependencyCheck] The syntax of the command is incorrect.

This is the case even for simple calls like

dependencycheck additionalArguments: '--updateonly --data c:\\builds
dependency-check-data2', odcInstallation: 'dependency-check-5.1.0'

Is there any way to see the command line that is built? And more importantly, to get rid of the errors?

 
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

c.amshoff@gmx.de (JIRA)

unread,
Jul 9, 2019, 6:44:02 AM7/9/19
to jenkinsc...@googlegroups.com
Christoph Amshoff updated an issue
Change By: Christoph Amshoff
We defined Jenkins Global Tool for dependency-check-5.1.0 with auto install. When executing a job on a Windows slave, the tool gets installed (in folder c:\jenkins-slave\tools\org.jenkinsci.plugins.DependencyCheck.tools.DependencyCheckInstallation\dependency-check-5.1.0), but any call of Dependency Check results in errors:

{{[DependencyCheck] The input line is too long.}}
{{[DependencyCheck] The syntax of the command is incorrect.}}

This is the case even for simple calls like

{{dependencycheck additionalArguments: '--updateonly --data c: \\ / builds \\ / }}{{dependency-check-data2', odcInstallation: 'dependency-check-5.1.0'}}


Is there any way to see the command line that is built? And more importantly, to get rid of the errors?

 

c.amshoff@gmx.de (JIRA)

unread,
Jul 9, 2019, 6:44:02 AM7/9/19
to jenkinsc...@googlegroups.com
Christoph Amshoff updated an issue
We defined Jenkins Global Tool for dependency-check-5.1.0 with auto install. When executing a job on a Windows slave, the tool gets installed (in folder c:\jenkins-slave\tools\org.jenkinsci.plugins.DependencyCheck.tools.DependencyCheckInstallation\dependency-check-5.1.0), but any call of Dependency Check results in errors:

{{[DependencyCheck] The input line is too long.}}
{{[DependencyCheck] The syntax of the command is incorrect.}}

This is the case even for simple calls like

{{dependencycheck additionalArguments: '--updateonly --data c:\\builds\\ }}{{ dependency-check-data2', odcInstallation: 'dependency-check-5.1.0'}}


Is there any way to see the command line that is built? And more importantly, to get rid of the errors?

 

steve.springett@owasp.org (JIRA)

unread,
Jul 10, 2019, 10:00:03 PM7/10/19
to jenkinsc...@googlegroups.com
Steve Springett commented on Bug JENKINS-58402
 
Re: On Windows slaves, any call of dependency check tool results in "The input line is too long" error

You can try enabling logging for hudson.* 

The execution is handled by Jenkins itself, specifically hudson.Launcher.ProcStarter

BTW, I've also had issues running 5.1.0, but 5.0.0 works fine in my environment. It might be an issue with the dependency-check script itself, which would be outside of the Jenkins plugin control.

steve.springett@owasp.org (JIRA)

unread,
Jul 10, 2019, 10:00:04 PM7/10/19
to jenkinsc...@googlegroups.com
Steve Springett assigned an issue to Steve Springett
 
Change By: Steve Springett
Assignee: Steve Springett

c.amshoff@gmx.de (JIRA)

unread,
Jul 11, 2019, 9:21:02 AM7/11/19
to jenkinsc...@googlegroups.com
Christoph Amshoff commented on Bug JENKINS-58402
 
Re: On Windows slaves, any call of dependency check tool results in "The input line is too long" error

Steve, thanks for the tips.

First of all, going back to dependency-check-5.0.0 did not help.

After configuring a logger for hudson.Proc I saw that the syntax of the call is most probably wrong, caused by using the fully qualified job name and build number as default for --project parameter:

 

Running: c:\builds\jenkins-slave\tools\org.jenkinsci.plugins.DependencyCheck.tools.DependencyCheckInstallation\dependency-check-5.0.0\bin\dependency-check.bat --project Experimental » ams-testDepCheck #9 --scan c:\builds\jenkins-slave\workspace\lfjee\Experimental\ams-testDepCheck --format XML --updateonly --data c:/builds/dependency-check-data --proxyserver xxxxx --proxyport 8080

 

When instead passing in some value for project, I get this command line

 

Running: c:\builds\jenkins-slave\tools\org.jenkinsci.plugins.DependencyCheck.tools.DependencyCheckInstallation\dependency-check-5.0.0\bin\dependency-check.bat --scan c:\builds\jenkins-slave\workspace\lfjee\Experimental\ams-testDepCheck --format XML --project updateDepData --updateonly --data c:/builds/dependency-check-data --proxyserver xxxxx --proxyport 8080

 

Which seems correct and indeed does work when copy & pasted into local installation of dependency-check command line tool.

c:\Utils\dependency-check\bin>dependency-check.bat --scan c:\lfjee\ams-testDepCheck --format XML --project updateDepData --updateonly --data c:/builds/dependency-check-data --proxyserver xxxxx --proxyport 8080
[INFO] Checking for updates
[INFO] NVD CVE requires several updates; this could take a couple of minutes.
[INFO] Download Started for NVD CVE - 2002
[INFO] Download Started for NVD CVE - 2003
[INFO] Download Complete for NVD CVE - 2003 (1779 ms)
[INFO] Download Started for NVD CVE - 2004
[INFO] Processing Started for NVD CVE - 2003
...

However, in Jenkins I still get

Building remotely on mu-s-iplint5 (lf-win) in workspace c:\builds\jenkins-slave\workspace\lfjee\Experimental\ams-testDepCheck
[DependencyCheck] The input line is too long.
[DependencyCheck] The syntax of the command is incorrect.
Build step 'Invoke Dependency-Check' changed build result to FAILURE

There is no other info in the hudson.Proc log. When logging just hudson package, there are tons of messages, though; I think they are unrelated, but I'll attach the log anyway.

 

c.amshoff@gmx.de (JIRA)

unread,
Jul 11, 2019, 9:22:04 AM7/11/19
to jenkinsc...@googlegroups.com
Christoph Amshoff updated an issue
Change By: Christoph Amshoff
Attachment: hudson.log

c.amshoff@gmx.de (JIRA)

unread,
Jul 11, 2019, 9:24:02 AM7/11/19
to jenkinsc...@googlegroups.com
Christoph Amshoff edited a comment on Bug JENKINS-58402
Steve, thanks for the tips.

First of all, going back to dependency-check-5.0.0 did not help.

After configuring a logger for hudson.Proc I saw that the syntax of the call is most probably wrong, caused by using the fully qualified job name and build number as default for --project parameter:
 
{noformat}
Running: c:\builds\jenkins-slave\tools\org.jenkinsci.plugins.DependencyCheck.tools.DependencyCheckInstallation\dependency-check-5.0.0\bin\dependency-check.bat --project Experimental » ams-testDepCheck #9 --scan c:\builds\jenkins-slave\workspace\lfjee\Experimental\ams-testDepCheck --format XML --updateonly --data c:/builds/dependency-check-data --proxyserver xxxxx --proxyport 8080{noformat}
 

When instead passing in some value for project, I get this command line
 
{noformat}
Running: c:\builds\jenkins-slave\tools\org.jenkinsci.plugins.DependencyCheck.tools.DependencyCheckInstallation\dependency-check-5.0.0\bin\dependency-check.bat --scan c:\builds\jenkins-slave\workspace\lfjee\Experimental\ams-testDepCheck --format XML --project updateDepData --updateonly --data c:/builds/dependency-check-data --proxyserver xxxxx --proxyport 8080{noformat}
 

Which seems correct and indeed does work when copy & pasted into local installation of dependency-check command line tool.
{noformat}

c:\Utils\dependency-check\bin>dependency-check.bat --scan c:\lfjee\ams-testDepCheck --format XML --project updateDepData --updateonly --data c:/builds/dependency-check-data --proxyserver xxxxx --proxyport 8080
[INFO] Checking for updates
[INFO] NVD CVE requires several updates; this could take a couple of minutes.
[INFO] Download Started for NVD CVE - 2002
[INFO] Download Started for NVD CVE - 2003
[INFO] Download Complete for NVD CVE - 2003 (1779 ms)
[INFO] Download Started for NVD CVE - 2004
[INFO] Processing Started for NVD CVE - 2003
...{noformat}

However, in Jenkins I still get
{noformat}

Building remotely on mu-s-iplint5 (lf-win) in workspace c:\builds\jenkins-slave\workspace\lfjee\Experimental\ams-testDepCheck
[DependencyCheck] The input line is too long.
[DependencyCheck] The syntax of the command is incorrect.
Build step 'Invoke Dependency-Check' changed build result to FAILURE{noformat}

There is no other info in the hudson.Proc log. When logging just hudson package, there are tons of messages, though; I think they are unrelated, but I'll attach the log anyway.

 

kfhickel@gmail.com (JIRA)

unread,
Jul 17, 2019, 7:30:02 AM7/17/19
to jenkinsc...@googlegroups.com

I am also experiencing this issue with the 5.0.2 version of the plugin, let me know if you need any information from my setup, but it seems straightforward to recreate.

 

steve.springett@owasp.org (JIRA)

unread,
Jul 17, 2019, 10:49:02 AM7/17/19
to jenkinsc...@googlegroups.com

"straightforward to recreate" assumes access to Windows machines. I will likely rely on pull requests from the community for this issue to be resolved.

 

If the error is due to the path to dependency-check.bat is too long, then that may be an issue with the Jenkins plugin or with Jenkins itself. The plugin relies on Hudson core classes for this. However, if the error is caused while executing statements inside dependency-check.bat, then that is not the plugins responsibility. That scenario would need to be solved in dependency-check-core.

kfhickel@gmail.com (JIRA)

unread,
Jul 17, 2019, 2:08:02 PM7/17/19
to jenkinsc...@googlegroups.com

I did a bit of digging, and the problem is the set CLASSPATH in dependency-check.bat, which seems to be the cause of this problem reported against Dependency-Check [https://github.com/jeremylong/DependencyCheck/issues/2062].

In my windows jenkins agent, the path to the tool BASEDIR is 135 characters, so the fully expanded CLASSPATH value would be 10841 characters, the longest command line for modern windows is 8191.

I'll add this info to that ticket as well, not sure the best way to solve it, although for Java 9, that may be to use a manifest jar file.

kfhickel@gmail.com (JIRA)

unread,
Jul 18, 2019, 9:44:02 AM7/18/19
to jenkinsc...@googlegroups.com
Kelly Hickel edited a comment on Bug JENKINS-58402
I did a bit of digging, and the problem is the set CLASSPATH in dependency-check.bat, which seems to be the cause of this problem reported against Dependency-Check [[https://github.com/jeremylong/DependencyCheck/issues/2062]].

In my windows jenkins agent, the path to the tool BASEDIR is 135 characters, so the fully expanded CLASSPATH value would be 10841 characters, the longest command line for modern windows is 8191.

I'll add this info to that ticket as well, not sure the best way to solve it, although for Java 9, that may be to use a manifest jar file.


 

I should have pointed out that you don't need a windows machine to see this, you could just add "echo $CLASSPATH | wc -c" to dependency-check.sh, after CLASSPATH is set. If the length is over 8191, then it won't work on windows.

c.amshoff@gmx.de (JIRA)

unread,
Jul 19, 2019, 8:03:03 AM7/19/19
to jenkinsc...@googlegroups.com

@Kelly, thanks for your discovery. I can confirm it's indeed the CLASSPATH setting. We were able to locally work around this issue (unpack all JARs in single folder) until it's resolved.

kfhickel@gmail.com (JIRA)

unread,
Jul 19, 2019, 9:54:03 AM7/19/19
to jenkinsc...@googlegroups.com

That's what I did as well, I'll include my change below, just in case someone gets stuck, but it's an ugly hack, the example I give may only work for version 5.1.1, and would have to be re-applied/changed every time the jenkins tool directory is updated/upgraded/etc.

Edit the .bat file located here: <jenkins agent directory>\tools\org.jenkinsci.plugins.DependencyCheck.ools.DependencyCheckInstallation\OWASP_Dependency_Check\bin\dependency-check.bat, find the long line that begins with "set CLASSPATH=", and REPLACE it with the lines below.

Yes, this is an ugly hack, don't feel the need to point that out ;->, but it does work for the short-term.

set CLASSPATH="%BASEDIR%"\plugins\*
xcopy /D/y "%REPO%"\ch\qos\logback\logback-core\1.2.3\logback-core-1.2.3.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\ch\qos\logback\logback-classic\1.2.3\logback-classic-1.2.3.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\commons-cli\commons-cli\1.4\commons-cli-1.4.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\org\owasp\dependency-check-core\5.1.1\dependency-check-core-5.1.1.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\org\apache\commons\commons-jcs-core\2.2.1\commons-jcs-core-2.2.1.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\commons-logging\commons-logging\1.2\commons-logging-1.2.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\com\github\package-url\packageurl-java\1.1.0\packageurl-java-1.1.0.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\us\springett\cpe-parser\2.0.1\cpe-parser-2.0.1.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\com\vdurmont\semver4j\2.2.0\semver4j-2.2.0.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\commons-collections\commons-collections\3.2.2\commons-collections-3.2.2.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\org\apache\commons\commons-compress\1.18\commons-compress-1.18.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\commons-io\commons-io\2.6\commons-io-2.6.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\org\apache\commons\commons-lang3\3.4\commons-lang3-3.4.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\org\apache\commons\commons-text\1.7\commons-text-1.7.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\org\apache\lucene\lucene-core\8.1.1\lucene-core-8.1.1.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\org\apache\lucene\lucene-analyzers-common\8.1.1\lucene-analyzers-common-8.1.1.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\org\apache\lucene\lucene-queryparser\8.1.1\lucene-queryparser-8.1.1.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\org\apache\lucene\lucene-queries\8.1.1\lucene-queries-8.1.1.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\org\apache\lucene\lucene-sandbox\8.1.1\lucene-sandbox-8.1.1.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\org\apache\velocity\velocity-engine-core\2.1\velocity-engine-core-2.1.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\com\h2database\h2\1.4.196\h2-1.4.196.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\org\glassfish\javax.json\1.0.4\javax.json-1.0.4.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\org\jsoup\jsoup\1.12.1\jsoup-1.12.1.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\com\sun\mail\mailapi\1.6.2\mailapi-1.6.2.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\com\google\code\gson\gson\2.8.5\gson-2.8.5.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\com\google\guava\guava\28.0-jre\guava-28.0-jre.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\com\google\guava\failureaccess\1.0.1\failureaccess-1.0.1.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\com\google\guava\listenablefuture\9999.0-empty-to-avoid-conflict-with-guava\listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\org\checkerframework\checker-qual\2.8.1\checker-qual-2.8.1.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\com\google\errorprone\error_prone_annotations\2.3.2\error_prone_annotations-2.3.2.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\com\google\j2objc\j2objc-annotations\1.3\j2objc-annotations-1.3.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\org\codehaus\mojo\animal-sniffer-annotations\1.17\animal-sniffer-annotations-1.17.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\com\h3xstream\retirejs\retirejs-core\3.0.1\retirejs-core-3.0.1.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\org\json\json\20140107\json-20140107.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\com\esotericsoftware\minlog\1.3\minlog-1.3.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\com\github\spullara\mustache\java\compiler\0.8.17\compiler-0.8.17.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\org\sonatype\ossindex\ossindex-service-client\1.2.0\ossindex-service-client-1.2.0.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\org\sonatype\ossindex\ossindex-service-api\1.2.0\ossindex-service-api-1.2.0.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\com\fasterxml\jackson\core\jackson-annotations\2.9.0\jackson-annotations-2.9.0.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\javax\ws\rs\javax.ws.rs-api\2.0.1\javax.ws.rs-api-2.0.1.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\org\sonatype\goodies\package-url-java\1.0.1\package-url-java-1.0.1.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\javax\inject\javax.inject\1\javax.inject-1.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\org\slf4j\jcl-over-slf4j\1.7.15\jcl-over-slf4j-1.7.15.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\joda-time\joda-time\2.9.9\joda-time-2.9.9.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\com\moandjiezana\toml\toml4j\0.7.2\toml4j-0.7.2.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\org\owasp\dependency-check-utils\5.1.1\dependency-check-utils-5.1.1.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\org\slf4j\slf4j-api\1.7.26\slf4j-api-1.7.26.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\org\apache\ant\ant\1.9.9\ant-1.9.9.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\com\google\code\findbugs\jsr305\3.0.2\jsr305-3.0.2.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\org\jetbrains\annotations\17.0.0\annotations-17.0.0.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\com\github\spotbugs\spotbugs-annotations\3.1.12\spotbugs-annotations-3.1.12.jar "%BASEDIR%"\plugins\
xcopy /D/y "%REPO%"\org\owasp\dependency-check-cli\5.1.1\dependency-check-cli-5.1.1.jar "%BASEDIR%"\plugins\

darknesstube@gmail.com (JIRA)

unread,
Jul 22, 2019, 12:44:02 PM7/22/19
to jenkinsc...@googlegroups.com

Dependency-Check version 5.2.0 was recently released which uses some maven settings to shorten the classpaths. I can confirm this update works on our windows build node which fixes the issues for us.

kfhickel@gmail.com (JIRA)

unread,
Jul 22, 2019, 1:55:04 PM7/22/19
to jenkinsc...@googlegroups.com

Looks good for me also.

c.amshoff@gmx.de (JIRA)

unread,
Jul 23, 2019, 4:24:03 PM7/23/19
to jenkinsc...@googlegroups.com
Christoph Amshoff updated Bug JENKINS-58402
 

Dependency-Check version 5.2.0 works fine, consider issue fixed.
Change By: Christoph Amshoff
Status: Open Fixed but Unreleased
Resolution: Fixed
Reply all
Reply to author
Forward
0 new messages