dependency-check: configuration of proxy and port in Jenkins plugin

[peterfrom...@gmail.com]

Hello,

I am trying to get the Jenkins plugin running but end up with the following error:

WARNING: Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD.
May 19, 2015 7:51:28 AM org.owasp.dependencycheck.data.update.NvdCveUpdater update
INFO: If you are behind a proxy you may need to configure dependency-check to use the proxy.
May 19, 2015 7:51:28 AM org.owasp.dependencycheck.data.update.NvdCveUpdater update
FINE: null
org.owasp.dependencycheck.utils.DownloadFailedException: Error making HTTP HEAD request.
	at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:230)
	at org.owasp.dependencycheck.data.update.UpdateableNvdCve.add(UpdateableNvdCve.java:96)
	at org.owasp.dependencycheck.data.update.StandardUpdate.retrieveCurrentTimestampsFromWeb(StandardUpdate.java:273)
	at org.owasp.dependencycheck.data.update.StandardUpdate.updatesNeeded(StandardUpdate.java:204)
	at org.owasp.dependencycheck.data.update.StandardUpdate.<init>(StandardUpdate.java:91)
	at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:48)
	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:478)
	at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:347)
	at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.executeDependencyCheck(DependencyCheckExecutor.java:165)
	at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.performBuild(DependencyCheckExecutor.java:103)
	at org.jenkinsci.plugins.DependencyCheck.AbstractDependencyCheckBuilder$1.call(AbstractDependencyCheckBuilder.java:89)
	at org.jenkinsci.plugins.DependencyCheck.AbstractDependencyCheckBuilder$1.call(AbstractDependencyCheckBuilder.java:86)
	at hudson.remoting.LocalChannel.call(LocalChannel.java:45)
	at org.jenkinsci.plugins.DependencyCheck.AbstractDependencyCheckBuilder.perform(AbstractDependencyCheckBuilder.java:86)
	at org.jenkinsci.plugins.DependencyCheck.DependencyCheckBuilder.perform(DependencyCheckBuilder.java:203)
	at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
	at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:770)
	at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.build(MavenModuleSetBuild.java:906)
	at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.doRun(MavenModuleSetBuild.java:857)
	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:533)
	at hudson.model.Run.execute(Run.java:1745)
	at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:529)
	at hudson.model.ResourceController.execute(ResourceController.java:89)
	at hudson.model.Executor.run(Executor.java:240)
Caused by: java.net.UnknownHostException: static.nvd.nist.gov
	at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:178)
	at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
	at java.net.Socket.connect(Socket.java:579)
	at sun.net.NetworkClient.doConnect(NetworkClient.java:175)
	at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
	at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
	at sun.net.www.http.HttpClient.<init>(HttpClient.java:211)
	at sun.net.www.http.HttpClient.New(HttpClient.java:308)
	at sun.net.www.http.HttpClient.New(HttpClient.java:326)
	at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:996)
	at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:932)
	at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:850)

We are behind a proxy but in contrast to the commandline and maven plugin I don't find the possibility to configure the proxy and the port for the Jenkins plugin.

Any help is welcome.

Peter

[Peter Brodt]

Ok, just discovered that you have to configure your proxy settings in the startup script for tomcat.

CATALINA_OPTS="$CATALINA_OPTS -Dhttp.proxyHost=<myProxy> -Dhttp.proxyPort=<myPort> -Dhttp.nonProxyHosts=<myNonProxyHost>|localhost|127.*"

Still isn't working though, I suppose that again some downloads are blocked by our firewall.

A documentation really, really would be helpful, rather than performing an endless trial and error.

[Steve Springett]

Peter,

The Dependency-Check Jenkins plugin uses the proxy configuration from Jenkins global config. Once defined in the global config, the master and all slave nodes will use the same proxy configuration.

—Steve

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Peter Brodt]

Hi Steve,

that's what we did:
  <globalNodeProperties>
    <hudson.slaves.EnvironmentVariablesNodeProperty>
      <envVars serialization="custom">
        <unserializable-parents/>
        <tree-map>
          <default>
            <comparator class="hudson.util.CaseInsensitiveComparator"/>
          </default>
          <int>6</int>
          <string>http.nonProxyHosts</string>
          <string>myNonProxyHost</string>
          <string>http.proxyHost</string>
          <string>myProxy</string>
          <string>http.proxyPort</string>
          <string>myProxyPort</string>
          <string>JAVA_HOME</string>
          <string>myJavaHome</string>
          <string>javax.net.ssl.keyStore</string>
          <string>myJavaKeystore</string>
          <string>javax.net.ssl.keyStorePassword</string>
          <string>myJavaKeystorePasswort</string>
        </tree-map>
      </envVars>
    </hudson.slaves.EnvironmentVariablesNodeProperty>
  </globalNodeProperties>

Still the job fails because the plugin is unalble to download from

Fein: Download is being redirected from http://nvd.nist.gov/download/nvdcve-2004.xml to https://nvd.nist.gov/download/nvdcve-2004.xml
Mai 20, 2015 3:32:22 PM org.owasp.dependencycheck.data.update.task.DownloadTask call
Warnung: Download Failed for NVD CVE - 2004
Some CVEs may not be reported.
Mai 20, 2015 3:32:22 PM org.owasp.dependencycheck.data.update.task.DownloadTask call
Information: If you are behind a proxy you may need to configure dependency-check to use the proxy.
Mai 20, 2015 3:32:22 PM org.owasp.dependencycheck.data.update.task.DownloadTask call
Fein: null
org.owasp.dependencycheck.utils.DownloadFailedException: Error downloading file http://nvd.nist.gov/download/nvdcve-2004.xml; unable to connect.

The download from http://static.nvd.nist.gov has no problems.

Fein: Download of http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2004.xml complete

Pete

[Steve Springett]

Peter,

Can you try the Dependency-Check command line version and see if it experiences the same issue?

Does your proxy server require authentication? Or does is only require the hostname and port to be specified?

Also, make sure the node (master or slave) that is running the dependency-check job is not being blocked by the proxy or firewall from accessing the Internet.

—Steve

[Peter Brodt]

Commandline works fine.
Maven plugin only works when I export the certificate from nvd.nist.gov, import the certificate into the local keystore and use the keystore during maven build.
Just added the https.proxyHost and https.proxyPort to the Jenkins global settings. Didn't help though. The proxy doesn't need authentication. Our Jenkins is generally not being blocked accessing the internet. We use the repo1.maven.org repository and the ursl nvd.nist.gov and static.nvd.nist.gov are are whitelisted as well. Otherwise the commandline wouldn't work.

Peter

[Steve Springett]

Peter,

The Jenkins documentation states that the system property http.proxyHost will be set, not https.proxyHost.

Also, in Jenkins, this is configured in proxy.xml or by http://localhost:8080/jenkins/pluginManager/advanced

You may want to enable debug logging in the job’s configuration and send it. It may help us diagnose what’s going on.

—Steve

[Jeremy Long]

One other thing I remember seeing early was a snippet from the log that was posted that contained a comment about redirecting from HTTP to HTTPS on these downloads; which version of dependency-check are you using?

--Jeremy

[Peter Brodt]

Hi Jeremy and Steve,
we are running version 1.2.10. Steve's indication that the proxy has to be defined in the plugin-manager section did the trick. Now the plugins is able to download from nvd.nist.gov and analyzes all artifacts. Thanks for your help.

Peter