"No route to host (Host unreachable)" when using mavenSettingsProxyId

[Kaj Hejer]

Hi

We run dependency-check with the following command from jenkins:

mvn -X clean dependency-check:check

and the following config:

<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>1.4.5</version>
<configuration>
<nuspecAnalyzerEnabled>false</nuspecAnalyzerEnabled>
<assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
<failBuildOnCVSS>2</failBuildOnCVSS>
<mavenSettingsProxyId>myproxy</mavenSettingsProxyId>
<cveValidForHours>0</cveValidForHours>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>


The proxy myproxy is defined in settings.xml for jenkins.

If I in settings.xml set active to true for this proxy dependency-check can download what it needs, but not if I set it to false. When setting it to true we ran into some issues with different part of our build process since then everyting used this proxy.

Can mavenSettingsProxyId be a proxy which is not active?

It seem to me that dependency-check does not respect the mavenSettingsProxyId setting. Am I missing something here about how to enable the proxy? Anything else I should to?

I include the stacktrace from maven bellow.

Please let me know if there is any other information I can provice!

Thanks! :)


[INFO] Checking for updates

[DEBUG] Database dialect: H2

[DEBUG] Database dialect: H2
[DEBUG] Checking for updates from:
https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz

[DEBUG] Available Protocols:
[DEBUG] SSLv2Hello
[DEBUG] SSLv3
[DEBUG] TLSv1
[DEBUG] TLSv1.1
[DEBUG] TLSv1.2

[ERROR] IO Exception: No route to host (Host unreachable)

[DEBUG] Exception details
java.net.NoRouteToHostException: No route to host (Host unreachable)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at sun.net.NetworkClient.doConnect(NetworkClient.java:175)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1138)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1032)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:261)
at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:228)
at org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve.add(UpdateableNvdCve.java:101)
at org.owasp.dependencycheck.data.update.NvdCveUpdater.retrieveCurrentTimestampsFromWeb(NvdCveUpdater.java:348)
at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded(NvdCveUpdater.java:267)
at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:87)
at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:683)
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:490)
at org.owasp.dependencycheck.maven.CheckMojo.runCheck(CheckMojo.java:97)
at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute(BaseDependencyCheckMojo.java:494)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:207)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:116)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:80)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:193)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:106)
at org.jvnet.hudson.maven3.launcher.Maven33Launcher.main(Maven33Launcher.java:129)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchStandard(Launcher.java:330)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:238)
at jenkins.maven3.agent.Maven33Main.launch(Maven33Main.java:176)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at hudson.maven.Maven3Builder.call(Maven3Builder.java:133)
at hudson.maven.Maven3Builder.call(Maven3Builder.java:68)
at hudson.remoting.UserRequest.perform(UserRequest.java:153)
at hudson.remoting.UserRequest.perform(UserRequest.java:50)
at hudson.remoting.Request$2.run(Request.java:336)
at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:68)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
[DEBUG] Setting: downloader.quick.query.timestamp='false'
[DEBUG] Available Protocols:
[DEBUG] SSLv2Hello
[DEBUG] SSLv3
[DEBUG] TLSv1
[DEBUG] TLSv1.1
[DEBUG] TLSv1.2

[ERROR] IO Exception: connect timed out

[DEBUG] Exception details
java.net.SocketTimeoutException: connect timed out
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at sun.net.NetworkClient.doConnect(NetworkClient.java:175)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1138)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1032)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:261)
at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:281)
at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:228)
at org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve.add(UpdateableNvdCve.java:101)
at org.owasp.dependencycheck.data.update.NvdCveUpdater.retrieveCurrentTimestampsFromWeb(NvdCveUpdater.java:348)
at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded(NvdCveUpdater.java:267)
at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:87)
at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:683)
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:490)
at org.owasp.dependencycheck.maven.CheckMojo.runCheck(CheckMojo.java:97)
at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute(BaseDependencyCheckMojo.java:494)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:207)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:116)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:80)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:193)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:106)
at org.jvnet.hudson.maven3.launcher.Maven33Launcher.main(Maven33Launcher.java:129)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchStandard(Launcher.java:330)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:238)
at jenkins.maven3.agent.Maven33Main.launch(Maven33Main.java:176)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at hudson.maven.Maven3Builder.call(Maven3Builder.java:133)
at hudson.maven.Maven3Builder.call(Maven3Builder.java:68)
at hudson.remoting.UserRequest.perform(UserRequest.java:153)
at hudson.remoting.UserRequest.perform(UserRequest.java:50)
at hudson.remoting.Request$2.run(Request.java:336)
at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:68)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

[WARNING] Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD.

[INFO] If you are behind a proxy you may need to configure dependency-check to use the proxy.

[WARNING] Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.



-Kaj :)

[Jeremy Long]

I actually just ran into this problem myself today. I still have to figure out what exactly is going on with Maven - but a work around would be to modify the command line you use to call dependency-check:

mvn -X -Dproxy.server=YOUR_PROXY_HOST -Dproxy.port=8080  clean dependency-check:check

Most of the configuration parameters you can pass in via the command line like that because of the way the Settings object works.

--Jeremy

-Kaj :)



--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kaj Hejer]

> On 16 Feb 2017, at 11:57, Jeremy Long <jerem...@gmail.com> wrote:
>
> I actually just ran into this problem myself today. I still have to figure out what exactly is going on with Maven - but a work around would be to modify the command line you use to call dependency-check:
>
> mvn -X -Dproxy.server=YOUR_PROXY_HOST -Dproxy.port=8080 clean dependency-check:check
>
>

Thanks!

That worked just fine!

Nice to hear I'm not the only one.


-Kaj :)

[Kaj Hejer]

Hi again :)

Any news about this issue?

Do you know if it will be fixed in 1.4.6?

btw: The news about pipeline support is great news!


-Kaj :)

> On 16 Feb 2017, at 11:57, Jeremy Long <jerem...@gmail.com> wrote:
>

> To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.

[Jeremy Long]

I have created ticket https://github.com/jeremylong/DependencyCheck/issues/732 to track this issue.  This might be the expected behavior of Maven - but I will do some testing.

--Jeremy