Jenkins plugin - NVD update failure

bealines...@gmail.com

unread,

Oct 4, 2016, 4:56:40 AM10/4/16

to Dependency Check

Hi, we are trying to use the Jenkins plugin but it fails both as a separate update job and within the build jobs. Below is the output from the update job. And below that, part of the system log.

Thought it might be similar to issues-523 but not quite.

We do not have a proxy and if I use the gradle dependency check plugin within the build (and not the Jenkins one) it does work. But not desirable, as takes a long time and can't share the data across build jobs.

Jenkins - 2.14

Java - SE 8u92

OWASP Dependency-Check Plugin v1.4.3

Thanks in advance

Building in workspace /var/lib/jenkins/workspace/OWASP NVD Update
[DependencyCheck] OWASP Dependency-Check Plugin v1.4.3
[DependencyCheck] Executing Dependency-Check with the following options:
[DependencyCheck]  -name = OWASP NVD Update
[DependencyCheck]  -outputDirectory = /var/lib/jenkins/workspace/OWASP NVD Update
[DependencyCheck]  -dataDirectory = /var/lib/jenkins/workspace/OWASP NVD Update/userContent/owasp/nvd
[DependencyCheck]  -verboseLogFile = /var/lib/jenkins/workspace/OWASP NVD Update/dependency-check.log
[DependencyCheck]  -dataMirroringType = none
[DependencyCheck]  -isQuickQueryTimestampEnabled = true
[DependencyCheck]  -useMavenArtifactsScanPath = false
[DependencyCheck]  -jarAnalyzerEnabled = false
[DependencyCheck]  -nodeJsAnalyzerEnabled = false
[DependencyCheck]  -composerLockAnalyzerEnabled = false
[DependencyCheck]  -pythonAnalyzerEnabled = false
[DependencyCheck]  -rubyGemAnalyzerEnabled = false
[DependencyCheck]  -cocoaPodsAnalyzerEnabled = false
[DependencyCheck]  -swiftPackageManagerAnalyzerEnabled = false
[DependencyCheck]  -archiveAnalyzerEnabled = false
[DependencyCheck]  -assemblyAnalyzerEnabled = false
[DependencyCheck]  -centralAnalyzerEnabled = false
[DependencyCheck]  -nuspecAnalyzerEnabled = false
[DependencyCheck]  -nexusAnalyzerEnabled = false
[DependencyCheck]  -autoconfAnalyzerEnabled = false
[DependencyCheck]  -cmakeAnalyzerEnabled = false
[DependencyCheck]  -opensslAnalyzerEnabled = false
[DependencyCheck]  -showEvidence = true
[DependencyCheck]  -format = XML
[DependencyCheck]  -autoUpdate = true
[DependencyCheck]  -updateOnly = true
[DependencyCheck] Performing NVD update only
[DependencyCheck] Unable to update the Dependency-Check database
Build step 'Invoke OWASP Dependency-Check NVD update only' marked build as failure
Finished: FAILURE

........
Checking for updates
Oct 04, 2016 8:40:54 AM FINE org.owasp.dependencycheck.data.nvdcve.CveDB 
Database dialect: H2
Oct 04, 2016 8:40:55 AM FINE org.owasp.dependencycheck.data.nvdcve.CveDB 
Database dialect: H2
Oct 04, 2016 8:40:55 AM FINE org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve add
Checking for updates from: https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
Oct 04, 2016 8:40:56 AM SEVERE org.owasp.dependencycheck.utils.Downloader getLastModified
IO Exception: Connection reset
Oct 04, 2016 8:40:56 AM FINE org.owasp.dependencycheck.utils.Downloader getLastModified
Exception details
java.net.SocketException: Connection reset
        at java.net.SocketInputStream.read(SocketInputStream.java:209)
        at java.net.SocketInputStream.read(SocketInputStream.java:141)
        at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
        at sun.security.ssl.InputRecord.read(InputRecord.java:503)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
        at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:254)
        at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:221)
        at org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve.add(UpdateableNvdCve.java:101)
        at org.owasp.dependencycheck.data.update.NvdCveUpdater.retrieveCurrentTimestampsFromWeb(NvdCveUpdater.java:330)
        at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded(NvdCveUpdater.java:259)
        at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:79)
        at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:492)
        at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.executeDependencyCheck(DependencyCheckExecutor.java:135)
        at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.performBuild(DependencyCheckExecutor.java:98)
        at org.jenkinsci.plugins.DependencyCheck.AbstractDependencyCheckBuilder$1.call(AbstractDependencyCheckBuilder.java:90)
        at org.jenkinsci.plugins.DependencyCheck.AbstractDependencyCheckBuilder$1.call(AbstractDependencyCheckBuilder.java:87)
        at hudson.remoting.LocalChannel.call(LocalChannel.java:45)
        at org.jenkinsci.plugins.DependencyCheck.AbstractDependencyCheckBuilder.perform(AbstractDependencyCheckBuilder.java:87)
        at org.jenkinsci.plugins.DependencyCheck.DependencyCheckUpdateOnlyBuilder.perform(DependencyCheckUpdateOnlyBuilder.java:84)
        at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
        at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:779)
        at hudson.model.Build$BuildExecution.build(Build.java:205)
        at hudson.model.Build$BuildExecution.doRun(Build.java:162)
        at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:534)
        at hudson.model.Run.execute(Run.java:1720)
        at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
        at hudson.model.ResourceController.execute(ResourceController.java:98)
        at hudson.model.Executor.run(Executor.java:404)

Steve Springett

unread,

Oct 4, 2016, 7:11:51 PM10/4/16

to Dependency Check

The Dependency-Check Jenkins plugin will use the proxy settings defined in the global Jenkins configuration. You state that you do not have proxy, so you should ensure that the proxy settings are blank.

You mentioned the Gradle plugin works as well as the version of Java. Is Jenkins itself (it’s app server) using 8u92 or is that just the Gradle build? Open JDK or Oracle JDK?

Try disabling “Quick Query”. Usually having this enabled provides a bit of a performance boost, but some firewalls don’t like it.

— Steve

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

bealines...@gmail.com

unread,

Oct 5, 2016, 3:45:09 AM10/5/16

to Dependency Check

Thanks for responding.

Jenkins JDK is: OpenJDK 1.8.0_91-b14

Build JDK is: Oracle 8u92

Only setting in the proxy settings is a port of zero. Which can't be blanked out - NumberFormatException

Have tried the 'Quick Query' option, but makes no difference.

Cheers

Steve Springett

unread,

Oct 8, 2016, 10:55:47 PM10/8/16

to Dependency Check

Have you looked at : https://github.com/jeremylong/DependencyCheck/issues/561

Users that experience this issue have reported that using Oracle JDK instead of OpenJDK makes the problem go away.

— Steve

Reply all

Reply to author

Forward