Unable to connect to the dependency-check database

[Jim Sellers]

Hello.

I've been seeing this for the 3.0.0, 3.0.1, and 3.0.2 versions.

We have bamboo (CI server) that runs ODC and if there is a "heavy load" (3 concurrent builds), _sometimes_ one of the builds will fail being unable to connect to the local h2 database. I'm seeing this with the maven plugin.

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:3.0.2:check (default-cli) on project MY_PROJECT: Fatal exception(s) analyzing MY_PROJECT: Unable to connect to the dependency-check database.

* I bumped up the ulimit for the user to 60000
* there is a separate job that updates the db, and not at the same time as the builds run

Any help that can be provided would be great. I just don't understand how sometimes the plugin can't seem to read the file which is on the same filesystem.

Thanks for your time
Jim

[Jeremy Long]

Are you using the embedded H2 database or did you setup an external database?

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Piyush Mittal]

I am also facing the same issue. I am using embedded H2 DB. Similar to Jim, I have separate job which updates DB using maven plugin (Although it's a Jenkins job but I am using maven plugin to update DB via execute shell). 

To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.

[Jim Sellers]

Yes, embedded H2.

Jim

You received this message because you are subscribed to a topic in the Google Groups "Dependency Check" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dependency-check/nocfIHsB84c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dependency-che...@googlegroups.com.

[Jeremy Long]

Have you setup the scanning nodes as `noupdate`? I'm a little less familiar with the Jenkins setup as this has been being maintained by Steve Springett so I might have the configuration option name wrong.

For heavy usage I would highly recommend using a database server; see the documentation page. Another option is to use a docker image w/ MySql and an instance of dependency-check scheduled to update the database (see dependencycheck-enterprise-docker). This has not been published to dockerhub yet - but I am planning on doing this.

Yes, embedded H2.

Jim

To unsubscribe from this group and all its topics, send an email to dependency-check+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Dependency Check" group.

To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.

[Jim Sellers]

Yes, they are set to no update.
Docker isn’t an option right now for our CI server. 🙁
Our setup is bamboo calling maven builds. Nothing special.

What would be the causes of unable to connect to the db? Any logging I could turn on to figure this out?

Thanks for your time
Jim

Yes, embedded H2.

Jim

To unsubscribe from this group and all its topics, send an email to dependency-che...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Jeremy Long]

The only debugging that can be turned on in the maven build is the standard `-X`. I've not been able to reproduce this issue...  One thing I would highly recommend is using an external database (oracle, ms sql, mysql, postgres, ...). I've been trying to make the embedded database more robust for heavier load - but it appears that folks are still running into problems.  See https://jeremylong.github.io/DependencyCheck/data/database.html

--Jerem