Dependencycheck: Internet access (Maven central) required since v3

Created on 26 Oct 2017  路  5Comments  路  Source: jeremylong/DependencyCheck

Since v3, an internet connection is required to access on Maven central (search.maven.org)
This use case is very contraignant when you are behind a corporate proxy.
CI platform could have not proxy configuration and using a Maven corporate repository (like Artifactory, Nexus, Archiva, ...).

This need can't be covered by the Maven repository defined in settings.xml ?

Detailed error:

[INFO] Analysis Started
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (0 seconds)
[ERROR] Could not connect to Central search. Analysis failed.
java.io.IOException: Finally failed connecting to Central search. Giving up after 5 tries.
    at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts(CentralAnalyzer.java:288)
    at org.owasp.dependencycheck.analyzer.CentralAnalyzer.analyzeDependency(CentralAnalyzer.java:198)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:137)
    [...]
Caused by: java.net.UnknownHostException: search.maven.org
    at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184)
    at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)
    [...]
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
    at org.owasp.dependencycheck.data.central.CentralSearch.searchSha1(CentralSearch.java:127)
    at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts(CentralAnalyzer.java:266)
    ... 8 more
[WARNING] An error occurred while analyzing '[...]\.m2\repository\commons-collections\commons-collections\3.2\commons-collections-3.2.jar' (Central Analyzer).
[ERROR] Could not connect to Central search. Analysis failed.
question
Source
picture axel3rd

Most helpful comment

In reality - ODC has always reached out to Maven Central. In the 3.x version the failure was raised in severity. However, if one is using the Maven plugin you can disable the central analyzer without any adverse affects.

<configuration>
   <centralAnalyzerEnabled>false</centralAnalyzerEnabled>
</configuration>
picture jeremylong on 27 Oct 2017
👍4

All 5 comments

In reality - ODC has always reached out to Maven Central. In the 3.x version the failure was raised in severity. However, if one is using the Maven plugin you can disable the central analyzer without any adverse affects.

<configuration>
   <centralAnalyzerEnabled>false</centralAnalyzerEnabled>
</configuration>
jeremylong picture jeremylong on 27 Oct 2017
👍4

Thanks for this workaround.

More globally, what is the objective of ODC ? Searching dependencies by sha1 on remote repository to reduce false positive number ?

If yes, is it not a good idea to have a more generic system search, based on the Maven remote repository configured in settings.xml (=> central by default, but any mirror configured otherwise) ?

URL endpoint could be tested to determine repository type (Maven Central or Nexus, JCenter or Artifactory, Archiva, ...) and loading the corresponding RemoteSearch implementation ?

So centralAnalyzerEnabled could become remoteAnalyzerEnabled and nexusAnalyzerEnabled / nexusUrl / nexusUsesProxy becomes deprecated.

axel3rd picture axel3rd on 27 Oct 2017

For the Maven and Gradle plugin - I don't believe there is a lot of benefit from the CentralAnalyzer. This is because we already have the dependencies coordinates. If one is using the CLI and Ant Task .(we don't yet support Ivy) dependency-check does not know the coordinates. As such, we query Central to see if we can find 1) is the dependency in Central and 2) can we download the POM to gain additional evidence to better identify the library (in terms of CPE).

In place of the Central Analyzer one may also be able to use the NexusAnalyzer - if your enterprise has a Nexus Pro setup. We plan on building similar analyzers for other repository systems.

jeremylong picture jeremylong on 27 Oct 2017

For the Maven and Gradle plugin - I don't believe there is a lot of benefit from the CentralAnalyzer. [...]

Understood. Thanks for this feedback. I close the question.

We plan on building similar analyzers for other repository systems.

In this case I promote my previous idea. If only one URL is configured and the endpoint remote repository is auto-determined, it is more simple to use ;)

axel3rd picture axel3rd on 27 Oct 2017

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] picture lock[bot] on 27 Sep 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Jayaramvenkat picture Jayaramvenkat  路  19Comments
alexanderkjall picture alexanderkjall  路  21Comments
javixeneize picture javixeneize  路  14Comments
baderbuddy picture baderbuddy  路  58Comments
razeitona picture razeitona  路  15Comments