Dependencycheck: Dependency Check 5.2.0 .NET Assembly analyser error
We are running a scan using command line utility of DCT 5.2.0 on Windows. Earlier we faced error due to dot net core not being present and post installation and giving the path in command it was working fine. Again now we are getting the same error, though dot net core is present. Please find command and result below. Please suggest what might cause this error now.
:\DCT Scan\dependency-check-5.2.0-release\bin>dependency-check.bat --project IR --scan "D:\SourceCode" --format ALL 聽--dotnet "C:\Program Files\dotnet\dotnet.exe" --proxyserver xxx.xxx.x.xx --proxyport 8080
[INFO] Checking for updates
[INFO] Skipping NVD check since last check was within 4 hours.
[INFO] Skipping RetireJS update since last update was within 24 hours.
[INFO] Check for updates complete (23 ms)
[INFO]
Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user脝s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
[INFO] Analysis Started
[INFO] Finished Archive Analyzer (3 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Nuspec Analyzer (0 seconds)
[INFO] Finished Nugetconf Analyzer (0 seconds)
[INFO] Finished MSBuild Project Analyzer (0 seconds)
_[ERROR] ----------------------------------------------------
[ERROR] .NET Assembly Analyzer could not be initialized and at least one 'exe' or 'dll' was scanned. The 'dotnet' executable could not be found on the path; either disable the Assembly Analyzer or configure the path dotnet core.
[ERROR] ----------------------------------------------------_
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (4 seconds)
[INFO] Finished CPE Analyzer (5 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (19 seconds)
vaishravin
All 11 comments
We are getting the same error with 5.2.1 as well.
vaishravin
on 22 Aug 2019
Can you run dotnet --version
jeremylong
on 22 Aug 2019
I get this response when I tried the command. But for some reason the error is not coming now. Thank you.
Did you mean to run dotnet SDK commands? Please install dotnet SDK from:
https://go.microsoft.com/fwlink/?LinkID=798306&clcid=0x409
vaishravin
on 22 Aug 2019
I am facing the same problem with plugin version 5.2.1. I try to run mvn verify and mvn dependency-check:check and with both commands, the error that i see is "One or more exceptions occurred during analysis: An error occurred with the .NET AssemblyAnalyzer".
The stacktrace is:
Caused by: org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions occurred during analysis: An error occurred with the .NET AssemblyAnalyzer
at org.owasp.dependencycheck.Engine.analyzeDependencies (Engine.java:705)
at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1403)
at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:802)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:566)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
I am using MacOS 10.14.6, Maven version 3.6.1 and DotNet version 3.0.100-preview8-013656.
hofmanj
on 2 Sep 2019
@hofmanj can you run dotnet --version and post the results? Also, have you specified the path to the dotnet executable in the configuration of dependency-check?
jeremylong
on 3 Sep 2019
@jeremylong The result of dotnet --version is: 3.0.100-preview8-013656.
I have not set the path to the executable in the configuration; I assume you mean in the configuration tag of the plugin in the POM file. Dotnet is recognised as a command in the terimal if that is of any use.
I also just found out that the dependency-check-report.html is generated anyway, even though the dotnet assemblyanalyzer error occured.
hofmanj
on 3 Sep 2019
If you do not have any dotnet - you can disable the dotnet analyzer. Alternatively, you can set the path to dotnet. In some cases even if dotnet is on the path in the terminal - I've seen the path not get fully passed into the JVM. As such, you may need to explicitly set the path to dotnet.
jeremylong
on 16 Oct 2019
I had the same error (using dependency check 5.2.2). Then I installed dotnet and provided the --dotnet parameter with correct path when running dependency-check.bat.
Now I get the following error:
2019-10-24T11:13:46.5301847Z [WARN] An error occurred with the .NET AssemblyAnalyzer;
2019-10-24T11:13:46.5302210Z this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.
2019-10-24T11:13:46.5303670Z [ERROR] Exception occurred initializing Assembly Analyzer.
And this error is shown in the log file:
ERROR - An error occurred with the .NET AssemblyAnalyzer
2019-10-24 13:13:52,300 org.owasp.dependencycheck.App:206
DEBUG - unexpected error
org.owasp.dependencycheck.exception.InitializationException: An error occurred with the .NET AssemblyAnalyzer
at org.owasp.dependencycheck.analyzer.AssemblyAnalyzer.prepareFileTypeAnalyzer(AssemblyAnalyzer.java:403)
at org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer.prepareAnalyzer(AbstractFileTypeAnalyzer.java:83)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.prepare(AbstractAnalyzer.java:102)
at org.owasp.dependencycheck.Engine.initializeAnalyzer(Engine.java:842)
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:678)
at org.owasp.dependencycheck.App.runScan(App.java:251)
at org.owasp.dependencycheck.App.run(App.java:183)
at org.owasp.dependencycheck.App.main(App.java:80)
Caused by: org.owasp.dependencycheck.xml.assembly.GrokParseException: org.xml.sax.SAXException: Line=1, Column=1: Premature end of file.
at org.owasp.dependencycheck.xml.assembly.GrokParser.parse(GrokParser.java:103)
at org.owasp.dependencycheck.analyzer.AssemblyAnalyzer.prepareFileTypeAnalyzer(AssemblyAnalyzer.java:380)
... 7 common frames omitted
Caused by: org.xml.sax.SAXException: Line=1, Column=1: Premature end of file.
at org.owasp.dependencycheck.xml.assembly.GrokErrorHandler.fatalError(GrokErrorHandler.java:71)
at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError(Unknown Source)
at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(Unknown Source)
at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(Unknown Source)
at com.sun.org.apache.xerces.internal.impl.XMLScanner.reportFatalError(Unknown Source)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$PrologDriver.next(Unknown Source)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(Unknown Source)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(Unknown Source)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown Source)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(Unknown Source)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
at org.owasp.dependencycheck.xml.assembly.GrokParser.parse(GrokParser.java:92)
... 8 common frames omitted
mradckeIRT
on 24 Oct 2019
@mradckeIRT I'm seeing the same issue when used with DotNet Core 3.
stevehipwell
on 4 Nov 2019
stevehipwell
on 5 Nov 2019
With the soon to be released 5.4.0 we will be switching from dotnet 2.x to dotnet 3.1.
jeremylong
on 4 Apr 2020
Related issues
meselfi
路
40Comments
Vampire
路
15Comments
mark-senne
路
37Comments
caperutxa
路
29Comments
baderbuddy
路
58Comments
Most helpful comment
I had the same error (using dependency check 5.2.2). Then I installed dotnet and provided the --dotnet parameter with correct path when running dependency-check.bat.
Now I get the following error:
And this error is shown in the log file: