OWASP dependency-check 3.3.0 released!

805 views
Skip to first unread message

Jeremy Long

unread,
Jul 24, 2018, 6:58:13 AM7/24/18
to Dependency Check
The OWASP dependency-check team is pleased to announce the release of version 3.3.0! Visit the documentation site for information on obtaining the new version (CLIMaven PluginAnt TaskGradle PluginJenkins Plugin, and SBT Plugin).

Please see the release notes hosted on github.

Best Regards,

The OWASP dependency-check team

Ronald Gundlach-Chmara

unread,
Jul 31, 2018, 4:00:55 PM7/31/18
to Dependency Check
Tried 3.3.0 Jenkins plugin, it no longed successfully fetches data  (slave machines are behind a corporate proxy, docker/mesos images, using a custom OWASP cache location), Jenkins LTS version 2.121.2.

Looks to be some kind of problem with download/linking cross device (in the below, /tmp/ and /scratch/build/workspace/project_owasp_cache are two separate docker areas). It might work fine if /tmp and a custom cache directory (or default cache location) are on the same disk, but "less fine" downloading/moving files? (It looks like a pretty common "rename instead of move" bug.)

Reverted to 3.2.1, and that version works fine (aside from missing all the awesome new checks).

Stacktrace:

[DependencyCheck] OWASP Dependency-Check Plugin v3.3.0
[DependencyCheck] Executing Dependency-Check with the following options:
[DependencyCheck]  -name = INF-27247
[DependencyCheck]  -scanPath = /scratch/build/workspace/-coordination-svc_PROJ-27247-MUWKDZQB6GKEOQ3VY6T2F75HOR32544WKC474AH256PS7Z6Z23ZA/targets/classes
[DependencyCheck]  -outputDirectory = /scratch/build/workspace/-coordination-svc_PROJ-27247-MUWKDZQB6GKEOQ3VY6T2F75HOR32544WKC474AH256PS7Z6Z23ZA
[DependencyCheck]  -dataDirectory = /scratch/build/workspace/project_owasp_cache
[DependencyCheck]  -dataMirroringType = none
[DependencyCheck]  -proxyServer = www-proxy.us.company.com
[DependencyCheck]  -proxyPort = 80
[DependencyCheck]  -isQuickQueryTimestampEnabled = true
[DependencyCheck]  -jarAnalyzerEnabled = true
[DependencyCheck]  -nodePackageAnalyzerEnabled = true
[DependencyCheck]  -nspAnalyzerEnabled = true
[DependencyCheck]  -retireJsAnalyzerEnabled = true
[DependencyCheck]  -composerLockAnalyzerEnabled = true
[DependencyCheck]  -pythonDistributionAnalyzerEnabled = true
[DependencyCheck]  -pythonPackageAnalyzerEnabled = true
[DependencyCheck]  -rubyBundlerAuditAnalyzerEnabled = true
[DependencyCheck]  -rubyGemAnalyzerEnabled = true
[DependencyCheck]  -cocoaPodsAnalyzerEnabled = true
[DependencyCheck]  -swiftPackageManagerAnalyzerEnabled = true
[DependencyCheck]  -archiveAnalyzerEnabled = true
[DependencyCheck]  -assemblyAnalyzerEnabled = true
[DependencyCheck]  -msBuildProjectAnalyzerEnabled = true
[DependencyCheck]  -centralAnalyzerEnabled = true
[DependencyCheck]  -nuspecAnalyzerEnabled = true
[DependencyCheck]  -nexusAnalyzerEnabled = false
[DependencyCheck]  -artifactoryAnalyzerEnabled = false
[DependencyCheck]  -autoconfAnalyzerEnabled = true
[DependencyCheck]  -cmakeAnalyzerEnabled = true
[DependencyCheck]  -opensslAnalyzerEnabled = true
[DependencyCheck]  -showEvidence = true
[DependencyCheck]  -formats = XML 
[DependencyCheck]  -autoUpdate = true
[DependencyCheck]  -updateOnly = false
[DependencyCheck] Analyzing Dependencies
[DependencyCheck] One or more exceptions were thrown while executing Dependency-Check
[DependencyCheck] Exception Caught: org.owasp.dependencycheck.data.update.exception.UpdateException
[DependencyCheck] Cause: /tmp/dctemp4176f3cf-0ccf-4f18-8bc7-757885847676/jsrepository.json -> /scratch/build/workspace/project_owasp_cache/jsrepository.json: Invalid cross-device link
[DependencyCheck] Message: Failed to initialize the RetireJS repo
[DependencyCheck] org.owasp.dependencycheck.data.update.exception.UpdateException: Failed to initialize the RetireJS repo
[DependencyCheck] 	at org.owasp.dependencycheck.data.update.RetireJSDataSource.initializeRetireJsRepo(RetireJSDataSource.java:167)
[DependencyCheck] 	at org.owasp.dependencycheck.data.update.RetireJSDataSource.update(RetireJSDataSource.java:99)
[DependencyCheck] 	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:899)
[DependencyCheck] 	at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:716)
[DependencyCheck] 	at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:642)
[DependencyCheck] 	at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.executeDependencyCheck(DependencyCheckExecutor.java:172)
[DependencyCheck] 	at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.call(DependencyCheckExecutor.java:103)
[DependencyCheck] 	at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.call(DependencyCheckExecutor.java:46)
[DependencyCheck] 	at hudson.remoting.UserRequest.perform(UserRequest.java:212)
[DependencyCheck] 	at hudson.remoting.UserRequest.perform(UserRequest.java:54)
[DependencyCheck] 	at hudson.remoting.Request$2.run(Request.java:369)
[DependencyCheck] 	at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
[DependencyCheck] 	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[DependencyCheck] 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[DependencyCheck] 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[DependencyCheck] 	at hudson.remoting.Engine$1.lambda$newThread$0(Engine.java:93)
[DependencyCheck] 	at java.lang.Thread.run(Thread.java:748)
[DependencyCheck] Caused by: java.nio.file.AtomicMoveNotSupportedException: /tmp/dctemp4176f3cf-0ccf-4f18-8bc7-757885847676/jsrepository.json -> /scratch/build/workspace/project_owasp_cache/jsrepository.json: Invalid cross-device link
[DependencyCheck] 	at sun.nio.fs.UnixCopyFile.move(UnixCopyFile.java:394)
[DependencyCheck] 	at sun.nio.fs.UnixFileSystemProvider.move(UnixFileSystemProvider.java:262)
[DependencyCheck] 	at java.nio.file.Files.move(Files.java:1395)
[DependencyCheck] 	at org.owasp.dependencycheck.data.update.RetireJSDataSource.initializeRetireJsRepo(RetireJSDataSource.java:164)
[DependencyCheck] 	


...and disk setup (to explain how /tmp and /scratch/build are different, so the file would have to be copied/moved, not renamed):
+ df -k
Filesystem                                       1K-blocks       Used  Available Use% Mounted on
/dev/mapper/docker-lv_build_workspace            1975685120  348625380 1624717196  18% /
tmpfs                                             92512508          0   92512508   0% /dev
tmpfs                                             92512508          0   92512508   0% /sys/fs/cgroup
/dev/mapper/docker-lv_build_workspace            1975685120  348625380 1624717196  18% /tools
/dev/mapper/vg_build_workspace-lv_build_workspace 2620966424 1307126988 1180678888  53% /scratch/build
shm                                                  65536          0      65536   0% /dev/shm
/dev/xvda2                                        51480372   26045252   22814564  54% /run/docker.sock
tmpfs                                             92512508          0   92512508   0% /sys/firmware

Jeremy Long

unread,
Aug 7, 2018, 9:20:18 AM8/7/18
to Dependency Check
3.3.1 was just released that should solve the issue.

Are Gulbrandsen

unread,
Oct 3, 2018, 4:11:12 AM10/3/18
to Dependency Check
I'm not sure if this is the correct place to post this, please point me in the right direction if not.

The Bouncy Castle Java API has consistently over the last years gotten the following wrong Identifiers which leads to false positives. We're currently using version 3.3.2:
cpe: cpe:/a:pgp:pgp:1.60  Confidence:Low
cpe: cpe:/a:openpgp:openpgp:1.60  Confidence:Low
cpe: cpe:/a:pgp:openpgp:1.60  Confidence:Low

The correct identifier is also there: 
maven: org.bouncycastle:bcpg-jdk15on:1.60  Confidence:Highest 

My team is using the following suppress-element in the suppression file, so this is only a minor annoyance, but for new users it would be useful to get rid of.

  <suppress>
     
<notes><![CDATA[
      file name: bcpg-jdk15on-1.6.jar
      ]]>
</notes>
     
<gav regex="true">^org\.bouncycastle:bcpg-jdk15on:.*$</gav>
     
<cpe>cpe:/a:openpgp:openpgp</cpe>
     
<cpe>cpe:/a:pgp:openpgp</cpe>
     
<cpe>cpe:/a:pgp:pgp</cpe>
   
</suppress>


I'll use the opportunity to thank you for the fantastic job you're doing. OWASP dependency-check is an essential part of our pipeline.


Best Regards,
Are D. Gulbrandsen
Web Section,
University Center for Information Technology
University of Oslo

Jeremy Long

unread,
Oct 3, 2018, 6:08:34 AM10/3/18
to Dependency Check
Thanks - with 3.3.2 the added suppression should no longer be needed as a similar entry is in ODC's base suppression list; if you are still seeing FP without the above suppression rule please open a ticket on the github repo. You should also take a look at https://github.com/jeremylong/DependencyCheck/issues/1500 . - there have been some false negatives that will be fixed in the next release.

I'm glad teams find the tool useful!

--Jeremy
Reply all
Reply to author
Forward
0 new messages