Unable to run Dependency Check CLI due to org.xml.sax.SAXParseException; in version 2.1.1

[sarma....@gmail.com]

Hi, 

I am trying to run Dependency Check by mirroring the NVD database and using a Python PWS to connect to it. The main reason for doing so is to avoid getting into any proxy/firewall related issues. 

However, I get the following exception which results in the check being aborted.

WARN  - Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.

2017-08-25 15:19:25,972 org.owasp.dependencycheck.Engine:678

DEBUG - Update Error

org.owasp.dependencycheck.data.update.exception.UpdateException: org.xml.sax.SAXParseException; systemId: file:/var/folders/gh/t16d_7tx0xx8cvfc0znmvp_9y384sn/T/dctempc61e02e2-b996-4f4f-b1ff-6138eb9ed6fa/cve_1_2_Modified_3131647077520596217.xml; lineNumber: 1; columnNumber: 10; DOCTYPE is disallowed when the feature "http://apache.org/xml/features/disallow-doctype-decl" set to true.

at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles(ProcessTask.java:170)

at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:118)

at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:45)

at java.util.concurrent.FutureTask.run(FutureTask.java:266)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

at java.lang.Thread.run(Thread.java:748)

Caused by: org.xml.sax.SAXParseException: DOCTYPE is disallowed when the feature "http://apache.org/xml/features/disallow-doctype-decl" set to true.

at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:203)

at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError(ErrorHandlerWrapper.java:177)

at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:400)

at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:327)

at com.sun.org.apache.xerces.internal.impl.XMLScanner.reportFatalError(XMLScanner.java:1472)

at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$PrologDriver.next(XMLDocumentScannerImpl.java:914)

at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:602)

at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:505)

at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:841)

at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:770)

at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)

at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)

at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)

at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl.parse(SAXParserImpl.java:327)

at javax.xml.parsers.SAXParser.parse(SAXParser.java:328)

at org.owasp.dependencycheck.data.update.nvd.ProcessTask.importXML(ProcessTask.java:147)

at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles(ProcessTask.java:166)

... 6 common frames omitted

2017-08-25 15:19:25,973 org.owasp.dependencycheck.Engine:911

ERROR - No documents exist

The CLI params are as follows:

./dependency-check/bin/dependency-check.sh  --cveUrl12Base http://127.0.0.1:8000 --cveUrl12Modified http://127.0.0.1:8000  --cveUrl20Base http://127.0.0.1:8000 --cveUrl20Modified http://127.0.0.1:8000 --out ./DCResults/ --scan ./<PathToScan>/**/* ./ --log ./logs --project "<Project Name>"

I understand this build is supposed to fix the SAXParseException, but it doesnt seem to in my case. Is this a known issue, when will a fix be availabile, is there a workaround?

[Aik Goigle]

In your command-line all URLs are identical. They should be configured to specific patterns for retrieving the specific elements of the NVD data.

See also https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html

The 'modified' once need a full static URL to the 1.2/2.0 Modified dataset and the 'base' once need a pattern of the full URL with a placeholder for the year for the yearly datasets

My guess would be that the error is due to an HTML http 404 document (Not Found)  from your Python PWS due to invalid custom URLs.

Regards,

Hans Aikema

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.