Error related to Dependency Check
1,031 views
Skip to first unread message
Kalyan K
Dec 17, 2015, 2:48:48 PM12/17/15
to Dependency Check
Hello Team,
I"m currently using Jenkins v 1.638 and recently upgraded OWASP plugin to 1.3.3 from 1.3.0. I started noticing below error since 12/16 and not sure if something's changed.
SEVERE: Unable to retrieve database properties: org.owasp.dependencycheck.data.nvdcve.DatabaseException: Database schema does not match this version of dependency-check
Prior to plugin update, I was getting this error message "Unable to connect to the dependency-check database; job has stopped"Please suggest.
THanks,
Kalyan
Jeremy Long
Dec 25, 2015, 7:12:24 AM12/25/15
to Dependency Check
Kalyan,
Any chance you could give us more information about your configuration? Have you changed the database connection string or are you using a fairly generic installation?
--Jeremy
Steve Springett
Dec 29, 2015, 2:14:51 AM12/29/15
to Dependency Check
Kalyan,
If you have not specified a data directory for the job, then the dependency-check data directory will reside in your projects workspace. You may want to wipe out your workspace so the data directory can be recreated.
if you've specified a data directory, then you may want to delete the contents and ensure that only a single version of dependency-check is writing to the directory.
--Steve
Kalyan K
Mar 28, 2016, 8:49:23 AM3/28/16
to Dependency Check
Hello Steve,
I did not provide any data directory to ensure that entire workspace is scanned and wiped out the project workspace prior to the build. However, when i trigger a new build, I could see that only 1 dependency being scanned. Not sure if there's a configuration mismatch. Please find below the snippet of console output:
08:38:30 [DependencyCheck] -updateOnly = false 08:38:31 [DependencyCheck] Scanning: /home/jenkins/workspace/test_owasp 08:38:31 [DependencyCheck] Analyzing Dependencies08:40:42 [DependencyCheck] Collecting Dependency-Check analysis files... 08:40:42 [DependencyCheck] Finding all files that match the pattern dependency-check-report.xml 08:40:42 [DependencyCheck] Parsing 1 file in /home/jenkins/workspace/test_owasp 08:40:42 [DependencyCheck] Successfully parsed file /home/jenkins/workspace/test_owasp/dependency-check-report.xml with 0 unique warnings and 0 duplicates. 08:40:42 [DependencyCheck] Computing warning deltas based on reference build #8 08:40:42 [PostBuildScript] - Execution post build scripts.
In the dependency check report, I could only see "gradle-wrapper" being scanned as shown below:
- Report Generated On: Mar 25, 2016 at 22:37:04 EDT
- Dependencies Scanned: 1
- Vulnerable Dependencies: 0
Display: Showing Vulnerable Dependencies (click to show all)
Please suggest.| Dependency | CPE | GAV | Highest Severity | CVE Count | CPE Confidence | Evidence Count |
|---|---|---|---|---|---|---|
| gradle-wrapper.jar | 0 | 5 |
Dependencies
gradle-wrapper.jar
File Path: /home/jenkins/workspace/test_owasp/gradle/wrapper/gradle-wrapper.jar
Evidence
| Source | Name | Value |
|---|---|---|
| file | name | gradle-wrapper |
| jar | package name | cli |
| jar | package name | gradle |
| Manifest | Implementation-Title | Gradle |
| Manifest | Implementation-Version | 2.4 |
Identifiers
- None
Thanks,
Kalyan
Steve Springett
Mar 28, 2016, 10:22:33 AM3/28/16
to Dependency Check
Ok, so if I understand correctly, you do not have a centralized data directory, rather, you utilize a data directory per workspace. If that’s the case re-enable auto update, and run a job. How big is the data directory?
Also, go to Manage Jenkins -> System Log and create a new logger named 'Dependency-Check'. For the logger, enter ‘org.owasp’ and set the level to ALL. Inspect and forward the logs to help us track down the issue.
—Steve
--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Kalyan K
Mar 28, 2016, 11:05:03 AM3/28/16
to Steve Springett, Dependency Check
Thanks Steve. I re-enabled auto-update and triggered the job. I could see that dependency-check data dir is 252 MB as attached. Also attached the dependency check log I obtained by filtering Jenkins System log.
You received this message because you are subscribed to a topic in the Google Groups "Dependency Check" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dependency-check/PZffhSyl58Y/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dependency-che...@googlegroups.com.
Bernd Eckenfels
Mar 28, 2016, 1:51:41 PM3/28/16
to Kalyan K, Steve Springett, Dependency Check
Hello,
I am not familiar with Gradle and the DC integration into it, but to me
it sounds like you scan a clean workspace (where only the grade
bootstrap is contained). So maybe it helps to run the check after a
build and with no clean (or there is a Grade integration you did not
use).
Gruss
Bernd
Am Mon, 28 Mar 2016 15:04:16 +0000
schrieb Kalyan K <kaly...@gmail.com>:
> > *08:38:30* [DependencyCheck] -updateOnly = false*08:38:31*
> > [DependencyCheck]
> > Scanning: /home/jenkins/workspace/test_owasp*08:38:31*
> > [DependencyCheck] Analyzing Dependencies
> >
> > *08:40:42* [DependencyCheck] Collecting Dependency-Check analysis
> > files...*08:40:42* [DependencyCheck] Finding all files that match
> > the pattern dependency-check-report.xml*08:40:42* [DependencyCheck]
> > Parsing 1 file in /home/jenkins/workspace/test_owasp*08:40:42*
> > - *Dependencies Scanned*: 1
> > - *Vulnerable Dependencies*: 0
> > /gradle/wrapper/gradle-wrapper.jar
I am not familiar with Gradle and the DC integration into it, but to me
it sounds like you scan a clean workspace (where only the grade
bootstrap is contained). So maybe it helps to run the check after a
build and with no clean (or there is a Grade integration you did not
use).
Gruss
Bernd
Am Mon, 28 Mar 2016 15:04:16 +0000
schrieb Kalyan K <kaly...@gmail.com>:
> > [DependencyCheck]
> > Scanning: /home/jenkins/workspace/test_owasp*08:38:31*
> > [DependencyCheck] Analyzing Dependencies
> >
> > *08:40:42* [DependencyCheck] Collecting Dependency-Check analysis
> > files...*08:40:42* [DependencyCheck] Finding all files that match
> > the pattern dependency-check-report.xml*08:40:42* [DependencyCheck]
> > Parsing 1 file in /home/jenkins/workspace/test_owasp*08:40:42*
> > [DependencyCheck] Successfully parsed
> > file /home/jenkins/workspace/test_owasp/dependency-check-report.xml
> > with 0 unique warnings and 0 duplicates.*08:40:42*
> > file /home/jenkins/workspace/test_owasp/dependency-check-report.xml
> > [DependencyCheck] Computing warning deltas based on reference build
> > #8*08:40:42* [PostBuildScript] - Execution post build scripts.
> >
> >
> > In the dependency check report, I could only see "gradle-wrapper"
> > being scanned as shown below:
> >
> >
> > - *Report Generated On*: Mar 25, 2016 at 22:37:04 EDT
> >
> > In the dependency check report, I could only see "gradle-wrapper"
> > being scanned as shown below:
> >
> >
> > - *Dependencies Scanned*: 1
> > - *Vulnerable Dependencies*: 0
> >
> > Display: Showing Vulnerable Dependencies (click to show all)
> >
> > Dependency CPE GAV Highest Severity CVE Count CPE Confidence
> > Evidence Count
> > gradle-wrapper.jar 0 5 Dependencies gradle-wrapper.jar
> >
> > *File Path:* /home/jenkins/workspace/test_owasp
> > Display: Showing Vulnerable Dependencies (click to show all)
> >
> > Dependency CPE GAV Highest Severity CVE Count CPE Confidence
> > Evidence Count
> > gradle-wrapper.jar 0 5 Dependencies gradle-wrapper.jar
> >
> > /gradle/wrapper/gradle-wrapper.jar
> >
> > Evidence
> > Source Name Value
> > file name gradle-wrapper
> > jar package name cli
> > jar package name gradle
> > Manifest Implementation-Title Gradle
> > Manifest Implementation-Version 2.4
> > Identifiers
> >
> > - *None*
> > Evidence
> > Source Name Value
> > file name gradle-wrapper
> > jar package name cli
> > jar package name gradle
> > Manifest Implementation-Title Gradle
> > Manifest Implementation-Version 2.4
> > Identifiers
> >
Kalyan K
Mar 28, 2016, 2:11:14 PM3/28/16
to Bernd Eckenfels, Steve Springett, Dependency Check
Hello Bernd,
We used to have OWASP dependency as a part of Jenkins build step apart from gradle build step. However, we segregated OWASP validation from the pipeline. However, it does exist as a standalone job, and doesn't perform any gradle tasks apart from cloning the repo and scanning the code base.
Thanks,
Kalyan
Reply all
Reply to author
Forward
0 new messages