Dependencycheck: [2.1.1/Maven plugin] Build failure due to connection error - Unable to connect to 'https://api.nodesecurity.io/check'

The URL looks correct - yes, if you just navigate to it you will see JSON returning a 404. The issue is that your Java trust store does not include the appropriate certs to make an HTTPS connection to a site that uses a cert from Let's Encrypt. You can follow the instructions at: https://github.com/jeremylong/InstallCert

Alternatively, newer versions of Java include the necessary root certificates for Let's Encrypt. See https://letsencrypt.org/docs/certificate-compatibility/

@jeremylong thanks for your explanation - when I try to open the URL https://api.nodesecurity.io/check in my browser I get the following JSON:

{"statusCode":404,"error":"Not Found","message":"Not Found"}

which seems to be translated to above error message. Ok so far, but
shouldn't this problem disappear when I disable NodeJS scanning in my maven plugin configuration?

Disabling the NspAnalyzer will resolve the error:

<configuration>
   <nspAnalyzerEnabled>false</nspAnalyzerEnabled>
</configuration>

@jeremylong thanks for your hint, since my project is Java only I was able to disable the nsp-Analyzer (although I thought it to be the nodeAnalyzerEnabled flag), which resulted in yet another error .... my configuration explicitly disables
rubygemsAnalyzerEnabled:false, but my build fails with:

21:30:24 [ERROR] Failed to execute goal org.owasp:dependency-check-maven:2.1.1:check (default) on project 365FarmNet: One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during dependency-check analysis
21:30:24 [ERROR] Exception from bundle-audit process: java.io.IOException: Cannot run program "bundle-audit" (in directory "/tmp/dctemp80d216bf-2bac-444d-9401-8be458201fad"): error=2, No such file or directory. Disabling Ruby Bundle Audit Analyzer
21:30:24 [ERROR] -> [Help 1]

maybe due to:

21:29:00 [INFO] Finished Archive Analyzer (1 seconds)
21:29:00 [INFO] Launching: [bundle-audit, check, --verbose] from /tmp/dctemp80d216bf-2bac-444d-9401-8be458201fad
21:29:00 [ERROR] Exception occurred initializing Ruby Bundle Audit Analyzer.
21:29:00 [INFO] Finished File Name Analyzer (0 seconds)

Is there another configuration option I do not understand properly?

My OWASP profile is defined like that:

        <profile>
            <id>owasp</id>
            <build>
                <defaultGoal>dependency-check:check</defaultGoal>
                <plugins>
                    <plugin>
                        <groupId>org.owasp</groupId>
                        <artifactId>dependency-check-maven</artifactId>
                        <version>2.1.1</version>
                        <executions>
                            <execution>
                                <goals>
                                    <goal>check</goal>
                                </goals>
                            </execution>
                        </executions>
                        <configuration>
                            <nspAnalyzerEnabled>false</nspAnalyzerEnabled>
                            <nodeAnalyzerEnabled>false</nodeAnalyzerEnabled>
                            <rubygemsAnalyzerEnabled>false</rubygemsAnalyzerEnabled>
                        </configuration>
                    </plugin>
                    <plugin>
                        <groupId>org.apache.maven.plugins</groupId>
                        <artifactId>maven-surefire-plugin</artifactId>
                        <configuration>
                            <skipTests>true</skipTests>
                        </configuration>
                    </plugin>
                </plugins>
            </build>
        </profile>

You likely want to do the following:

<configuration>
    <nspAnalyzerEnabled>false</nspAnalyzerEnabled>
    <nodeAnalyzerEnabled>false</nodeAnalyzerEnabled>
    <rubygemsAnalyzerEnabled>false</rubygemsAnalyzerEnabled>
    <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
    <bundleAuditAnalyzerEnabled>false</bundleAuditAnalyzerEnabled>
</configuration>

Thanks for your hints - it made the builds go green again :-)

Would it make sense to file a PR to print the current configuration concerning the analyzers when the build starts? Without your help I wouldn't have known which analyzers to disable.

WDYT?

Thanks again for your help.

I'll raise a PR for the configuration output - thanks again.

I have tried the InstallCert approach as well as updating both my JRE and JDK to 1.8.0u144 (which the Let's Encrypt site says is supported) and no dice, I cannot build. I'd prefer not to disable the NSP or other analyzers. I confirmed that after running InstallCert that the api.nodesecurity.io cert and the Let's Encrypt X3 cert is in my system cacerts file via running keytool -list. Are there any other suggestions on things to try?

@paulirwin you are getting the exact same error?

[ERROR] Unable to connect to 'https://api.nodesecurity.io/check' - the Java trust store does not contain a trusted root for the cert. Please see https://github.com/jeremylong/InstallCert for one method of updating the trusted certificates.

The only thing I could ask (is a stupid question) - do you have multiple JREs on your system and are you 100% positive the one being used has the installed certs?

Disregard previous message. My JAVA_HOME environment variable was pointing to an older JDK with its own JRE. I updated the cacerts there (jdk path/jre/lib/security) and now it works. Thanks for your help!

ok

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.