Dependencycheck: unable to parse pom
Reporting Bugs/Errors
When parsing a project with the commandline Utility the job ends with the error "unable to parse pom". All reports seem to be generated though. But the jenkins job ends with an error.
We don't use the plugin because we were not able to integrate it in a Jenkins pipeline.
Regards,
Peter
[INFO] Analysis Started
[INFO] Finished Archive Analyzer (19 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[Fatal Error] :2:10: DOCTYPE is disallowed when the feature "http://apache.org/xml/features/disallow-doctype-decl" set to true.
[Fatal Error] :2:10: DOCTYPE is disallowed when the feature "http://apache.org/xml/features/disallow-doctype-decl" set to true.
[WARN] Unable to parse pom '/tmp/dctemp70cd02b5-58b6-4a24-b10e-370afc53f5a2/check3647187796509583746tmp/707/pom.xml'
[WARN] An error occurred while analyzing '/buildssd/workspace/10.1-owasp/server/taa/product/target/products/de.ruv.ruvconn.server.application.taa.product/win32/win32/x86/plugins/org.jslipc_0.2.0.jar' (Jar Analyzer).
[WARN] Unable to parse pom '/tmp/dctemp70cd02b5-58b6-4a24-b10e-370afc53f5a2/check3647187796509583746tmp/708/pom.xml'
[WARN] An error occurred while analyzing '/tmp/dctemp70cd02b5-58b6-4a24-b10e-370afc53f5a2/check8483265078113306401tmp/419/lib/jslipc-0.2.0.jar' (Jar Analyzer).
[INFO] Finished Jar Analyzer (2 seconds)
[INFO] Finished Central Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (6 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished Cpe Suppression Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (26 seconds)
[INFO] Analysis Complete (56 seconds)
[ERROR] org.owasp.dependencycheck.xml.pom.PomParseException: Unable to parse pom '/tmp/dctemp70cd02b5-58b6-4a24-b10e-370afc53f5a2/check3647187796509583746tmp/707/pom.xml'
[ERROR] org.owasp.dependencycheck.xml.pom.PomParseException: Unable to parse pom '/tmp/dctemp70cd02b5-58b6-4a24-b10e-370afc53f5a2/check3647187796509583746tmp/708/pom.xml'
PeterFromWiesbaden
All 9 comments
What version of dependency-check are you using? Can you add --log odc.log to the command line to provide more details about the specific failure?
jeremylong
on 6 Dec 2017
Hi Jeremy,
sorry for not responding so long. I had been on a training.
I have attached the logfile.
Peter
PeterFromWiesbaden
on 11 Dec 2017
PeterFromWiesbaden
on 11 Dec 2017
we are using Version 3.0.2
PeterFromWiesbaden
on 11 Dec 2017
Looking at the log file it looks like there is a DOCTYPE defined in the pom for de.ruv.ruvconn.taa.mqadapter.leben.operationhandler_10.1.9.201711301530.jar:
Caused by: org.owasp.dependencycheck.xml.pom.PomParseException: Unable to parse pom '/tmp/dctempf8a69e51-e6d0-4acc-a432-f2671c9cbb77/check2024181862727803803tmp/709/pom.xml'
at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:66)
at org.owasp.dependencycheck.xml.pom.PomUtils.readPom(PomUtils.java:57)
... 9 common frames omitted
Caused by: org.owasp.dependencycheck.xml.pom.PomParseException: org.xml.sax.SAXParseException; lineNumber: 2; columnNumber: 10; DOCTYPE is disallowed when the feature "http://apache.org/xml/features/disallow-doctype-decl" set to true.
at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:95)
at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:63)
... 10 common frames omitted
Caused by: org.xml.sax.SAXParseException: DOCTYPE is disallowed when the feature "http://apache.org/xml/features/disallow-doctype-decl" set to true.
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1239)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:91)
... 11 common frames omitted
Any chance you have an example pom.xml that I could look at that is similar to what is causing the error?
jeremylong
on 16 Dec 2017
After taking a deeper look into that I have found that jar which is analyzed looks like this:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE xml [<!ENTITY quot """>
<!ENTITY euro "€">
<!ENTITY reg "®">
<!ENTITY nbsp " ">
<!ENTITY Auml "Ä">
<!ENTITY Uuml "Ü">
<!ENTITY Ouml "Ö">
<!ENTITY auml "ä">
<!ENTITY uuml "ü">
<!ENTITY ouml "ö">
<!ENTITY raquo "»">
<!ENTITY szlig "ß">]>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<parent>
<groupId>org.sonatype.oss</groupId>
<artifactId>oss-parent</artifactId>
<version>7</version>
</parent>
<modelVersion>4.0.0</modelVersion>
<groupId>org.jslipc</groupId>
<artifactId>jslipc</artifactId>
<version>0.2.0</version>
<description>Java Socket-Less Inter-Process Communication API</description>
<url>http://www.jslipc.org/</url>
<licenses>
<license>
<name>The MIT License</name>
<url>http://code.google.com/p/jslipc/wiki/License</url>
<distribution>repo</distribution>
</license>
</licenses>
<scm>
<connection>scm:git:https://code.google.com/p/jslipc/</connection>
<developerConnection>scm:git:https://code.google.com/p/jslipc/</developerConnection>
<url>http://code.google.com/p/jslipc/source/browse</url>
</scm>
<developers>
<developer>
<id>stuckert</id>
<name>Ralf Stuckert</name>
<email>[email protected]</email>
</developer>
</developers>
<!-- packaging>bundle</packaging -->
<properties>
<distribution.dir>${project.build.directory}/dist</distribution.dir>
</properties>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.11</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-all</artifactId>
<version>1.9.5</version>
<scope>test</scope>
</dependency>
which seemed to be the problem.
The error output looks like this:
00:10:58.615 + /dependency-check/bin/dependency-check.sh --data /prj/jenkins/owasp/data --format ALL --scan '/buildssd/workspace/11.0-owasp/**/target/**/*.jar' --noupdate --out /buildssd/workspace/11.0-owasp/dependency-check --project ruvconn_owasp
00:11:45.300 [INFO] Analysis Started
00:12:03.390 [INFO] Finished Archive Analyzer (22 seconds)
00:12:03.390 [INFO] Finished File Name Analyzer (0 seconds)
00:12:03.390 [Fatal Error] :2:10: DOCTYPE ist nicht zul脙陇ssig, wenn das Feature "http://apache.org/xml/features/disallow-doctype-decl" auf "true" gesetzt ist.
00:12:03.390 [Fatal Error] :2:10: DOCTYPE ist nicht zul脙陇ssig, wenn das Feature "http://apache.org/xml/features/disallow-doctype-decl" auf "true" gesetzt ist.
00:12:03.391 [WARN] Unable to parse pom '/tmp/dctempa72ba5ad-2e12-4c3e-adaf-9db1363e2444/check5441412863754850016tmp/552/pom.xml'
00:12:03.391 [WARN] Unable to parse pom '/tmp/dctempa72ba5ad-2e12-4c3e-adaf-9db1363e2444/check5441412863754850016tmp/551/pom.xml'
00:12:03.391 [WARN] An error occurred while analyzing
'/buildssd/workspace/11.0-owasp/.../../plugins/org.jslipc_0.2.0.jar' (Jar Analyzer).
00:12:03.391 [WARN] An error occurred while analyzing '/tmp/dctempa72ba5ad-2e12-4c3e-adaf-9db1363e2444/check6069155271836861559tmp/541/lib/jslipc-0.2.0.jar' (Jar Analyzer).
00:12:03.651 [INFO] Finished Jar Analyzer (2 seconds)
00:12:03.911 [INFO] Finished Central Analyzer (0 seconds)
00:12:03.911 [ERROR] ----------------------------------------------------
00:12:03.911 [ERROR] .NET Assembly Analyzer could not be initialized and at least one 'exe' or 'dll' was scanned. The 'mono' executable could not be found on the path; either disable the Assembly Analyzer or configure the path mono. On some systems mono-runtime and mono-devel need to be installed.
00:12:03.912 [ERROR] ----------------------------------------------------
00:12:03.912 [INFO] Finished Dependency Merging Analyzer (0 seconds)
00:12:03.912 [INFO] Finished Version Filter Analyzer (0 seconds)
00:12:04.172 [INFO] Finished Hint Analyzer (0 seconds)
00:12:05.547 [INFO] Created CPE Index (1 seconds)
00:12:12.113 [INFO] Finished CPE Analyzer (7 seconds)
00:12:12.113 [INFO] Finished False Positive Analyzer (0 seconds)
00:12:12.114 [INFO] Finished Cpe Suppression Analyzer (0 seconds)
00:12:12.114 [INFO] Finished NVD CVE Analyzer (0 seconds)
00:12:12.114 [INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
00:12:12.374 [INFO] Finished Dependency Bundling Analyzer (0 seconds)
00:12:13.309 [INFO] Analysis Complete (34 seconds)
00:12:15.215 [ERROR] org.owasp.dependencycheck.xml.pom.PomParseException: Unable to parse pom '/tmp/dctempa72ba5ad-2e12-4c3e-adaf-9db1363e2444/check5441412863754850016tmp/551/pom.xml'
00:12:15.215 [ERROR] org.owasp.dependencycheck.xml.pom.PomParseException: Unable to parse pom '/tmp/dctempa72ba5ad-2e12-4c3e-adaf-9db1363e2444/check5441412863754850016tmp/552/pom.xml'
khmarbaise
on 18 Dec 2017
Thanks! I'll have to think about the solution as I'd rather not remove the http://apache.org/xml/features/disallow-doctype-decl. Thus, to solve this we might need to convert to using StAX which would have several benefits including speed enhancements - as using performance monitoring tools the current SAX parsing of POMs is one area that ODC spends quite a bit of time...
Notes for my future self when implementing this:
- Prevent XXE - need to ensure security features are enabled.
- Filter Doctype example - this may or may not get used depending on implementation.
jeremylong
on 21 Dec 2017
Sorry this took me so long to get to - it will be included in the next release.
jeremylong
on 6 Jul 2018
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![lock[bot] picture](https://avatars.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 27 Sep 2018
Related issues
Stephan202
路
3Comments
benji
路
3Comments
dwvisser
路
4Comments
javixeneize
路
4Comments
amandel
路
3Comments