Dependencycheck: Unable to write to cache in docker

Created on 13 Aug 2019  路  2Comments  路  Source: jeremylong/DependencyCheck

Describe the bug
I am trying to run dependency-check in Docker in CircleCI (I'm not using the Orb, because that seems to just be for maven or gradle projects).

When running a docker container in CircleCI, you can't mount volumes (though you can save and restore caches), so mounting something at /usr/share/dependency-check/data is not an option.

I get the following error:

Exception in thread "main" org.apache.commons.jcs.access.exception.CacheException: Unable to create disk cache: /usr/share/dependency-check/data/cache
    at org.owasp.dependencycheck.data.cache.DataCacheFactory.<init>(DataCacheFactory.java:89)
    at org.owasp.dependencycheck.analyzer.CentralAnalyzer.initialize(CentralAnalyzer.java:121)
    at org.owasp.dependencycheck.Engine.lambda$loadAnalyzers$1(Engine.java:291)
    at java.base/java.util.ArrayList.forEach(ArrayList.java:1540)
    at org.owasp.dependencycheck.Engine.loadAnalyzers(Engine.java:290)
    at org.owasp.dependencycheck.Engine.initializeEngine(Engine.java:262)
    at org.owasp.dependencycheck.Engine.<init>(Engine.java:251)
    at org.owasp.dependencycheck.Engine.<init>(Engine.java:227)
    at org.owasp.dependencycheck.Engine.<init>(Engine.java:217)
    at org.owasp.dependencycheck.App.runScan(App.java:246)
    at org.owasp.dependencycheck.App.run(App.java:183)
    at org.owasp.dependencycheck.App.main(App.java:80)
Exited with code 1

It seems that /usr/share/dependency-check/data is owned by root. I think this is because docker does something unexpected(?) when a volume is declared in the Dockerfile.

* Version of dependency-check used *
The problem occurs using version 5.2.1 of the the cli, under a docker environment

* Log file *
https://gist.github.com/pkaeding/73a371091076e3ff55af5641c8f382c8

To Reproduce
Here is my CircleCI job config:

  dependency-check:
    working_directory: /home/dependencycheck/go/src/github.com/launchdarkly/reponame
    docker:
      - image: owasp/dependency-check
    steps:
      - checkout
      - restore_cache:
          keys: 
            - dependency-cache-{{ arch }}
      - run: 
          name: Record dependency-check version
          command: /usr/share/dependency-check/bin/dependency-check.sh --version
      - run:
          name: Scan for known vulnerable dependencies
          command: /usr/share/dependency-check/bin/dependency-check.sh --project reponame --out ./dependency-check --log ./dependency-check/dependency-check.log --enableExperimental --scan .
      - save_cache:
          key: dependency-cache-{{ arch }}
          paths:
            - /usr/share/dependency-check/data/cache
      - store_artifacts:
          path: ./dependency-check
      - store_test_results:
          path: ./dependency-check/dependency-check-junit.xml

Expected behavior
Scan results from my Gopkg.lock file.

Additional context
I can sucessfully run dependency-check on this project from my OS X laptop, with the following command:

dependency-check --project reponame --out ./dependency-check --format ALL --log dep-check.log --enableExperimental --scan .

I realize that the suggested way to run the docker image is to mount a volume at /usr/share/dependency-check/data, but perhaps that path could be overridden by an environment variable or something?

bug
Source
picture pkaeding
👍1

All 2 comments

You can disable caching by adding: --disableNodeAuditCache --disableOssIndexCache --disableCentralCache.

jeremylong picture jeremylong on 13 Aug 2019
👍1

Hmm, I get an error about being unable to lock the database when I disable the caches:

$ /usr/share/dependency-check/bin/dependency-check.sh --project reponame --out ./dependency-check --log ./dependency-check/dependency-check.log --enableExperimental --scan . --disableNodeAuditCache --disableOssIndexCache --disableCentralCache

[WARN] Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
[ERROR] Unable to continue dependency-check analysis.
[ERROR] One or more fatal errors occurred
[ERROR] Unable to obtain an exclusive lock on the H2 database to perform updates
[ERROR] No documents exist
pkaeding picture pkaeding on 13 Aug 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

agisbert picture agisbert  路  4Comments
chadlwilson picture chadlwilson  路  3Comments
mikehalmamoj picture mikehalmamoj  路  4Comments
rruizt picture rruizt  路  3Comments
Mvbraathen picture Mvbraathen  路  3Comments