OWASP dependency-check 3.3.0 released!
805 views
Skip to first unread message
Jeremy Long
Jul 24, 2018, 6:58:13 AM7/24/18
to Dependency Check
The OWASP dependency-check team is pleased to announce the release of version 3.3.0! Visit the documentation site for information on obtaining the new version (CLI, Maven Plugin, Ant Task, Gradle Plugin, Jenkins Plugin, and SBT Plugin).
The OWASP dependency-check team
Ronald Gundlach-Chmara
Jul 31, 2018, 4:00:55 PM7/31/18
to Dependency Check
Tried 3.3.0 Jenkins plugin, it no longed successfully fetches data (slave machines are behind a corporate proxy, docker/mesos images, using a custom OWASP cache location), Jenkins LTS version 2.121.2.
Looks to be some kind of problem with download/linking cross device (in the below, /tmp/ and /scratch/build/workspace/project_owasp_cache are two separate docker areas). It might work fine if /tmp and a custom cache directory (or default cache location) are on the same disk, but "less fine" downloading/moving files? (It looks like a pretty common "rename instead of move" bug.)
Reverted to 3.2.1, and that version works fine (aside from missing all the awesome new checks).
Looks to be some kind of problem with download/linking cross device (in the below, /tmp/ and /scratch/build/workspace/project_owasp_cache are two separate docker areas). It might work fine if /tmp and a custom cache directory (or default cache location) are on the same disk, but "less fine" downloading/moving files? (It looks like a pretty common "rename instead of move" bug.)
Reverted to 3.2.1, and that version works fine (aside from missing all the awesome new checks).
Stacktrace:
[DependencyCheck] OWASP Dependency-Check Plugin v3.3.0 [DependencyCheck] Executing Dependency-Check with the following options: [DependencyCheck] -name = INF-27247 [DependencyCheck] -scanPath = /scratch/build/workspace/-coordination-svc_PROJ-27247-MUWKDZQB6GKEOQ3VY6T2F75HOR32544WKC474AH256PS7Z6Z23ZA/targets/classes [DependencyCheck] -outputDirectory = /scratch/build/workspace/-coordination-svc_PROJ-27247-MUWKDZQB6GKEOQ3VY6T2F75HOR32544WKC474AH256PS7Z6Z23ZA [DependencyCheck] -dataDirectory = /scratch/build/workspace/project_owasp_cache [DependencyCheck] -dataMirroringType = none [DependencyCheck] -proxyServer = www-proxy.us.company.com [DependencyCheck] -proxyPort = 80 [DependencyCheck] -isQuickQueryTimestampEnabled = true [DependencyCheck] -jarAnalyzerEnabled = true [DependencyCheck] -nodePackageAnalyzerEnabled = true [DependencyCheck] -nspAnalyzerEnabled = true [DependencyCheck] -retireJsAnalyzerEnabled = true [DependencyCheck] -composerLockAnalyzerEnabled = true [DependencyCheck] -pythonDistributionAnalyzerEnabled = true [DependencyCheck] -pythonPackageAnalyzerEnabled = true [DependencyCheck] -rubyBundlerAuditAnalyzerEnabled = true [DependencyCheck] -rubyGemAnalyzerEnabled = true [DependencyCheck] -cocoaPodsAnalyzerEnabled = true [DependencyCheck] -swiftPackageManagerAnalyzerEnabled = true [DependencyCheck] -archiveAnalyzerEnabled = true [DependencyCheck] -assemblyAnalyzerEnabled = true [DependencyCheck] -msBuildProjectAnalyzerEnabled = true [DependencyCheck] -centralAnalyzerEnabled = true [DependencyCheck] -nuspecAnalyzerEnabled = true [DependencyCheck] -nexusAnalyzerEnabled = false [DependencyCheck] -artifactoryAnalyzerEnabled = false [DependencyCheck] -autoconfAnalyzerEnabled = true [DependencyCheck] -cmakeAnalyzerEnabled = true [DependencyCheck] -opensslAnalyzerEnabled = true [DependencyCheck] -showEvidence = true [DependencyCheck] -formats = XML [DependencyCheck] -autoUpdate = true [DependencyCheck] -updateOnly = false [DependencyCheck] Analyzing Dependencies [DependencyCheck] One or more exceptions were thrown while executing Dependency-Check [DependencyCheck] Exception Caught: org.owasp.dependencycheck.data.update.exception.UpdateException [DependencyCheck] Cause: /tmp/dctemp4176f3cf-0ccf-4f18-8bc7-757885847676/jsrepository.json -> /scratch/build/workspace/project_owasp_cache/jsrepository.json: Invalid cross-device link [DependencyCheck] Message: Failed to initialize the RetireJS repo [DependencyCheck] org.owasp.dependencycheck.data.update.exception.UpdateException: Failed to initialize the RetireJS repo [DependencyCheck] at org.owasp.dependencycheck.data.update.RetireJSDataSource.initializeRetireJsRepo(RetireJSDataSource.java:167) [DependencyCheck] at org.owasp.dependencycheck.data.update.RetireJSDataSource.update(RetireJSDataSource.java:99) [DependencyCheck] at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:899) [DependencyCheck] at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:716) [DependencyCheck] at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:642) [DependencyCheck] at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.executeDependencyCheck(DependencyCheckExecutor.java:172) [DependencyCheck] at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.call(DependencyCheckExecutor.java:103) [DependencyCheck] at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.call(DependencyCheckExecutor.java:46) [DependencyCheck] at hudson.remoting.UserRequest.perform(UserRequest.java:212) [DependencyCheck] at hudson.remoting.UserRequest.perform(UserRequest.java:54) [DependencyCheck] at hudson.remoting.Request$2.run(Request.java:369) [DependencyCheck] at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72) [DependencyCheck] at java.util.concurrent.FutureTask.run(FutureTask.java:266) [DependencyCheck] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [DependencyCheck] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [DependencyCheck] at hudson.remoting.Engine$1.lambda$newThread$0(Engine.java:93) [DependencyCheck] at java.lang.Thread.run(Thread.java:748) [DependencyCheck] Caused by: java.nio.file.AtomicMoveNotSupportedException: /tmp/dctemp4176f3cf-0ccf-4f18-8bc7-757885847676/jsrepository.json -> /scratch/build/workspace/project_owasp_cache/jsrepository.json: Invalid cross-device link [DependencyCheck] at sun.nio.fs.UnixCopyFile.move(UnixCopyFile.java:394) [DependencyCheck] at sun.nio.fs.UnixFileSystemProvider.move(UnixFileSystemProvider.java:262) [DependencyCheck] at java.nio.file.Files.move(Files.java:1395) [DependencyCheck] at org.owasp.dependencycheck.data.update.RetireJSDataSource.initializeRetireJsRepo(RetireJSDataSource.java:164) [DependencyCheck]
...and disk setup (to explain how /tmp and /scratch/build are different, so the file would have to be copied/moved, not renamed):+ df -k Filesystem 1K-blocks Used Available Use% Mounted on /dev/mapper/docker-lv_build_workspace 1975685120 348625380 1624717196 18% / tmpfs 92512508 0 92512508 0% /dev tmpfs 92512508 0 92512508 0% /sys/fs/cgroup /dev/mapper/docker-lv_build_workspace 1975685120 348625380 1624717196 18% /tools /dev/mapper/vg_build_workspace-lv_build_workspace 2620966424 1307126988 1180678888 53% /scratch/build shm 65536 0 65536 0% /dev/shm /dev/xvda2 51480372 26045252 22814564 54% /run/docker.sock tmpfs 92512508 0 92512508 0% /sys/firmware
Jeremy Long
Aug 7, 2018, 9:20:18 AM8/7/18
to Dependency Check
3.3.1 was just released that should solve the issue.
Are Gulbrandsen
Oct 3, 2018, 4:11:12 AM10/3/18
to Dependency Check
I'm not sure if this is the correct place to post this, please point me in the right direction if not.
The Bouncy Castle Java API has consistently over the last years gotten the following wrong Identifiers which leads to false positives. We're currently using version 3.3.2:
The Bouncy Castle Java API has consistently over the last years gotten the following wrong Identifiers which leads to false positives. We're currently using version 3.3.2:
cpe: cpe:/a:pgp:pgp:1.60 Confidence:Low
cpe: cpe:/a:openpgp:openpgp:1.60 Confidence:Low
cpe: cpe:/a:pgp:openpgp:1.60 Confidence:Low
The correct identifier is also there:
maven: org.bouncycastle:bcpg-jdk15on:1.60 Confidence:Highest
My team is using the following suppress-element in the suppression file, so this is only a minor annoyance, but for new users it would be useful to get rid of.
<suppress>
<notes><![CDATA[
file name: bcpg-jdk15on-1.6.jar
]]></notes>
<gav regex="true">^org\.bouncycastle:bcpg-jdk15on:.*$</gav>
<cpe>cpe:/a:openpgp:openpgp</cpe>
<cpe>cpe:/a:pgp:openpgp</cpe>
<cpe>cpe:/a:pgp:pgp</cpe>
</suppress>
I'll use the opportunity to thank you for the fantastic job you're doing. OWASP dependency-check is an essential part of our pipeline.
Best Regards,
Are D. Gulbrandsen
Web Section,
University Center for Information Technology
University of Oslo
Jeremy Long
Oct 3, 2018, 6:08:34 AM10/3/18
to Dependency Check
Thanks - with 3.3.2 the added suppression should no longer be needed as a similar entry is in ODC's base suppression list; if you are still seeing FP without the above suppression rule please open a ticket on the github repo. You should also take a look at https://github.com/jeremylong/DependencyCheck/issues/1500 . - there have been some false negatives that will be fixed in the next release.
I'm glad teams find the tool useful!
--Jeremy
Reply all
Reply to author
Forward
0 new messages