[JIRA] (JENKINS-49685) Unable to download the NVD CVE data. Caused by: java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required"

120 views
Skip to first unread message

bootsarehax@gmail.com (JIRA)

unread,
Feb 22, 2018, 2:19:03 AM2/22/18
to jenkinsc...@googlegroups.com
Philipp Moeller created an issue
 
Jenkins / Improvement JENKINS-49685
Unable to download the NVD CVE data. Caused by: java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required"
Issue Type: Improvement Improvement
Assignee: Unassigned
Components: dependency-check-jenkins-plugin
Created: 2018-02-22 07:18
Environment: Jenkins 2.89.4, JDK 8u161
Priority: Major Major
Reporter: Philipp Moeller

My Jenkins Instance is sitting behind a proxy that requires basic authentication, which is configured in the Jenkins Instance. Updating plugins via https works without problems with the configured proxy.

When trying to run the dependencyCheckAnalyzer from a Jenkins Pipeline I get the following error and stack trace:

[DependencyCheck] One or more exceptions were thrown while executing Dependency-Check
[DependencyCheck] Exception Caught: org.owasp.dependencycheck.data.update.exception.UpdateException
[DependencyCheck] Cause: java.util.concurrent.ExecutionException: org.owasp.dependencycheck.utils.DownloadFailedException: Error making HTTP GET request.
[DependencyCheck] Message: Unable to download the NVD CVE data.
[DependencyCheck] org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to download the NVD CVE data.
[DependencyCheck] at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:130)
[DependencyCheck] at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:889)
[DependencyCheck] at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:716)
[DependencyCheck] at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:642)
[DependencyCheck] at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.executeDependencyCheck(DependencyCheckExecutor.java:172)
[DependencyCheck] at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.call(DependencyCheckExecutor.java:103)
[DependencyCheck] at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.call(DependencyCheckExecutor.java:46)
[DependencyCheck] at hudson.remoting.UserRequest.perform(UserRequest.java:210)
[DependencyCheck] at hudson.remoting.UserRequest.perform(UserRequest.java:53)
[DependencyCheck] at hudson.remoting.Request$2.run(Request.java:358)
[DependencyCheck] at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
[DependencyCheck] at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[DependencyCheck] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[DependencyCheck] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[DependencyCheck] at hudson.remoting.Engine$1$1.run(Engine.java:94)
[DependencyCheck] at java.lang.Thread.run(Thread.java:748)
[DependencyCheck] Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: java.util.concurrent.ExecutionException: org.owasp.dependencycheck.utils.DownloadFailedException: Error making HTTP GET request.
[DependencyCheck] at org.owasp.dependencycheck.data.update.NvdCveUpdater.retrieveLastModifiedDates(NvdCveUpdater.java:460)
[DependencyCheck] at org.owasp.dependencycheck.data.update.NvdCveUpdater.retrieveCurrentTimestampsFromWeb(NvdCveUpdater.java:402)
[DependencyCheck] at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded(NvdCveUpdater.java:319)
[DependencyCheck] at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:117)
[DependencyCheck] ... 15 more
[DependencyCheck] Caused by: java.util.concurrent.ExecutionException: org.owasp.dependencycheck.utils.DownloadFailedException: Error making HTTP GET request.
[DependencyCheck] at java.util.concurrent.FutureTask.report(FutureTask.java:122)
[DependencyCheck] at java.util.concurrent.FutureTask.get(FutureTask.java:206)
[DependencyCheck] at org.owasp.dependencycheck.data.update.NvdCveUpdater.retrieveLastModifiedDates(NvdCveUpdater.java:455)
[DependencyCheck] ... 18 more
[DependencyCheck] Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Error making HTTP GET request.
[DependencyCheck] at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:293)
[DependencyCheck] at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:235)
[DependencyCheck] at org.owasp.dependencycheck.data.update.NvdCveUpdater$TimestampRetriever.call(NvdCveUpdater.java:507)
[DependencyCheck] at org.owasp.dependencycheck.data.update.NvdCveUpdater$TimestampRetriever.call(NvdCveUpdater.java:480)
[DependencyCheck] at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[DependencyCheck] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[DependencyCheck] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[DependencyCheck] ... 1 more
[DependencyCheck] Caused by: java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required"
[DependencyCheck] at sun.net.www.protocol.http.HttpURLConnection.doTunneling(HttpURLConnection.java:2124)
[DependencyCheck] at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:183)
[DependencyCheck] at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
[DependencyCheck] at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:268)
[DependencyCheck] ... 7 more
[DependencyCheck]
[DependencyCheck] Exception Caught: org.owasp.dependencycheck.exception.NoDataException
[DependencyCheck] Message: No documents exist
[DependencyCheck] org.owasp.dependencycheck.exception.NoDataException: No documents exist
[DependencyCheck] at org.owasp.dependencycheck.Engine.ensureDataExists(Engine.java:1068)
[DependencyCheck] at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:646)
[DependencyCheck] at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.executeDependencyCheck(DependencyCheckExecutor.java:172)
[DependencyCheck] at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.call(DependencyCheckExecutor.java:103)
[DependencyCheck] at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.call(DependencyCheckExecutor.java:46)
[DependencyCheck] at hudson.remoting.UserRequest.perform(UserRequest.java:210)
[DependencyCheck] at hudson.remoting.UserRequest.perform(UserRequest.java:53)
[DependencyCheck] at hudson.remoting.Request$2.run(Request.java:358)
[DependencyCheck] at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
[DependencyCheck] at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[DependencyCheck] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[DependencyCheck] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[DependencyCheck] at hudson.remoting.Engine$1$1.run(Engine.java:94)
[DependencyCheck] at java.lang.Thread.run(Thread.java:748)

I assume this is caused by jdk.http.auth.tunneling.disabledSchemes as described here http://www.oracle.com/technetwork/java/javase/8u111-relnotes-3124969.html

A possible workaround is to remove Basic from jdk.http.auth.tunneling.disabledSchemes but this seems unnecessary since all other parts of Jenkins do not require this setting and work flawlessly with the proxy configuration and HTTPS traffic and this plugin should as well.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)
Atlassian logo

steve.springett@owasp.org (JIRA)

unread,
Mar 17, 2018, 10:45:03 PM3/17/18
to jenkinsc...@googlegroups.com
Steve Springett assigned an issue to Steve Springett
Change By: Steve Springett
Assignee: Steve Springett

steve.springett@owasp.org (JIRA)

unread,
Mar 17, 2018, 10:45:04 PM3/17/18
to jenkinsc...@googlegroups.com
Steve Springett commented on Improvement JENKINS-49685
 
Re: Unable to download the NVD CVE data. Caused by: java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required"

The Dependency-Check Jenkins plugin relies on the proxy settings in the Jenkins global config. These settings are passed to the Dependency-Check Core/Util modules.

In the util module, there is a setting called PROXY_DISABLE_SCHEMAS and if that is disabled, it sets jdk.http.auth.tunneling.disabledSchemes = ""

https://github.com/jeremylong/DependencyCheck/blob/master/utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java#L94

 

Based on your research, would enabling this setting resolve the issue? I don't have a proxy server to test with so it's a bit hard for me to know. But based on what I've read, if there was a global setting for the Jenkins plugin that provided the ability to enable/disable this feature, that could potentially solve the issue reported. Is that an accurate statement?

bootsarehax@gmail.com (JIRA)

unread,
Mar 28, 2018, 5:24:01 AM3/28/18
to jenkinsc...@googlegroups.com
Philipp Moeller edited a comment on Improvement JENKINS-49685
IMO that would solve the issue, but I think it should not be necessary. The Jenkins Plugin Manager and almost all other plugins have no issue with the configured proxy.

bootsarehax@gmail.com (JIRA)

unread,
Mar 28, 2018, 5:24:02 AM3/28/18
to jenkinsc...@googlegroups.com

steve.springett@owasp.org (JIRA)

unread,
Jul 6, 2019, 11:26:03 PM7/6/19
to jenkinsc...@googlegroups.com
Steve Springett closed an issue as Won't Do
 

No longer relevant with v5.0.0
Change By: Steve Springett
Status: Open Closed
Resolution: Won't Do
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)
Reply all
Reply to author
Forward
0 new messages