Dependencycheck: Forbidden! When accessing bintray release 5.3.2

This error is for all downloads not just 5.3.2.

We have the same problem. This is blocking our release pipeline, please fix this quickly.

Same for us, it blocks all our pipelines. Any idea when this will be fixed?

Hi we are having the same problem on our pipelines and it is blocking us too.

Unfortunately, it looks like this won't be fixed until tomorrow.

@jeremylong do you have a suggestion for a workaround ? do you have an ETA of when maybe it'll be fixed ? Thanks

See my comment above - should be fixed tomorrow. Work around - consider hosting the CLI locally in your environment (if you don't have a copy consider building from source), alternatively, use the docker image.

Sorry, I am a little confused with this comment:

Unfortunately, it looks like this won't be fixed tomorrow.

Will be the issue fixed tomorrow?

Sorry - I missed "until". This won't be fixed until tomorrow.

This is a critical issue for anybody using the Jenkins plugin since it loads every time. We have to run multiple scans every day and we are already falling behind. Even if you want to turn off the auto-install and install it once yourself into your own docker image, we need to get to that zip file at least one time. We are completely prevented - this is pretty serious.

Trying different things. Looks like the Maven build fails on the latest release so we are trying to find a way to use the docker image - pulling it, running it locally and then copying out the install to make our own zip - hopefully. - Jeremy is there any way you can make that zip available (say, 5.3.2) on any other repository?

A maven build should not be affected by this issue unless you are invoking the command line - which isn't the best option. Maven builds should use the maven plugin.

You can simple clone the repo, checkout tag v5.3.2 and build the zip yourself and host in a location for your organization.

This should now be resolved.

Thanks so much. I've verified this is working again. We'll work on a backup plan in case this happens again.

By the way, can you explain what happened on bintray? If it happens in the future, is there a better way for us to report it? Maybe directly to bintray somehow? Thanks, Mike

The account hit a rate limit.

Has the rate limit been increased? I ask because we have many more scans to run and also more often.

I've been monitoring this situation - and we might hit the limit again this month. However, I highly recommend people to update their scripts and point directly to the CLI or Ant Task hosted on the github releases:

CLI: https://github.com/jeremylong/DependencyCheck/releases/download/v6.0.2/dependency-check-6.0.2-release.zip
Ant: https://github.com/jeremylong/DependencyCheck/releases/download/v6.0.2/dependency-check-ant-6.0.2-release.zip

@jeremylong
Unable to download owasp -latest version[or any version] using Jenkins Plugin . Getting Forbidden or 403 Error, May i know the reason please? All our pipelines are failing.
FATAL: Failed to install https://dl.bintray.com/jeremy-long/owasp/dependency-check-6.0.1-release.zip
java.io.IOException: Server returned HTTP response code: 403 for URL: https://dl.bintray.com/jeremy-long/owasp/dependency-check-6.0.1-release.zip
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1900)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)
at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:3061)
at java.net.URLConnection.getHeaderFieldLong(URLConnection.java:629)
at java.net.URLConnection.getContentLengthLong(URLConnection.java:501)
at java.net.URLConnection.getContentLength(URLConnection.java:485)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getContentLength(HttpsURLConnectionImpl.java:412)
at org.jvnet.robust_http_client.RetryableHttpStream.(RetryableHttpStream.java:90)

We got 43 scans with that error below this morning. I’m curious why this couldn’t be somehow cached by the Jenkins plugin. In the past, it was. Then, when the new version came out, it stopped being cached.

How long until we can run our scans again?

Thanks,

Michael Corum
VP, Technical Architecture Solutions

RGA Reinsurance Company
16600 Swingley Ridge Road
Chesterfield, Missouri 6301701706
T 636.736.7066
www.rgare.com

From: ChandrashekarAppaji notifications@github.com
Reply-To: jeremylong/DependencyCheck reply@reply.github.com
Date: Monday, September 28, 2020 at 7:33 AM
To: jeremylong/DependencyCheck DependencyCheck@noreply.github.com
Cc: "Corum, Michael" mcorum@rgare.com, Comment comment@noreply.github.com
Subject: Re: [jeremylong/DependencyCheck] Forbidden! When accessing bintray release 5.3.2 (#2739)

External e-mail. Use caution! / Courriel externe. Faites attention!

@jeremylonghttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jeremylong&d=DwMCaQ&c=5uPv0lijNz76uSeaN5P0Zw&r=rh3Qrw7azSI9xkZZ-a8EEw&m=LmB780GK84_x5VUriknrzit0jPAw8ZTyFqZzv5r2AO0&s=UYdXsCMABsDZcianmTfCD0HWQ4nFG26XD7gu2Mi0XhM&e=
Unable to download owasp -latest version[or any version] using Jenkins Plugin . Getting Forbidden or 403 Error, May i know the reason please? All our pipelines are failing.
FATAL: Failed to install https://dl.bintray.com/jeremy-long/owasp/dependency-check-6.0.1-release.ziphttps://urldefense.proofpoint.com/v2/url?u=https-3A__dl.bintray.com_jeremy-2Dlong_owasp_dependency-2Dcheck-2D6.0.1-2Drelease.zip&d=DwMCaQ&c=5uPv0lijNz76uSeaN5P0Zw&r=rh3Qrw7azSI9xkZZ-a8EEw&m=LmB780GK84_x5VUriknrzit0jPAw8ZTyFqZzv5r2AO0&s=YKCjbHjKfkOEa5yE2OTn_H4oWZj1lxVeQ7jTla_FFBY&e=
java.io.IOException: Server returned HTTP response code: 403 for URL: https://dl.bintray.com/jeremy-long/owasp/dependency-check-6.0.1-release.ziphttps://urldefense.proofpoint.com/v2/url?u=https-3A__dl.bintray.com_jeremy-2Dlong_owasp_dependency-2Dcheck-2D6.0.1-2Drelease.zip&d=DwMCaQ&c=5uPv0lijNz76uSeaN5P0Zw&r=rh3Qrw7azSI9xkZZ-a8EEw&m=LmB780GK84_x5VUriknrzit0jPAw8ZTyFqZzv5r2AO0&s=YKCjbHjKfkOEa5yE2OTn_H4oWZj1lxVeQ7jTla_FFBY&e=
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1900)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)
at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:3061)
at java.net.URLConnection.getHeaderFieldLong(URLConnection.java:629)
at java.net.URLConnection.getContentLengthLong(URLConnection.java:501)
at java.net.URLConnection.getContentLength(URLConnection.java:485)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getContentLength(HttpsURLConnectionImpl.java:412)
at org.jvnet.robust_http_client.RetryableHttpStream.(RetryableHttpStream.java:90)

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jeremylong_DependencyCheck_issues_2739-23issuecomment-2D699977240&d=DwMCaQ&c=5uPv0lijNz76uSeaN5P0Zw&r=rh3Qrw7azSI9xkZZ-a8EEw&m=LmB780GK84_x5VUriknrzit0jPAw8ZTyFqZzv5r2AO0&s=BVuaEt9aGrgefsoIdxM83sG1ckiwf1guJJkx2mk5Dzo&e=, or unsubscribehttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ABNDTFNOYOPKTGR4EK2LGVDSIB67RANCNFSM4PQIEHJA&d=DwMCaQ&c=5uPv0lijNz76uSeaN5P0Zw&r=rh3Qrw7azSI9xkZZ-a8EEw&m=LmB780GK84_x5VUriknrzit0jPAw8ZTyFqZzv5r2AO0&s=H9I4FkRQNcyhhtEUySsngMvLmOID04l-LRFQx-AaaNo&e=.

As a tip,

Run with a specific environment variable. Example one-liner, using the python package:

DEPENDENCY_CHECK_URL="https://github.com/jeremylong/DependencyCheck/releases/download/v6.0.2/dependency-check-6.0.2-release.zip" dependency-check --scan ./src --enableExperimental --format "ALL" --out build/reports --symLink 50

For the latest - you can use the github release URL above. For 5.x - you'll likely have to wait until the 1st before things clear up...

I've been monitoring this situation - and we _might_ hit the limit again this month. However, I highly recommend people to update their scripts and point directly to the CLI or Ant Task hosted on the github releases:

CLI: https://github.com/jeremylong/DependencyCheck/releases/download/v6.0.2/dependency-check-6.0.2-release.zip
Ant: https://github.com/jeremylong/DependencyCheck/releases/download/v6.0.2/dependency-check-ant-6.0.2-release.zip

Is there a way to Verify the cryptographic integrity of your download? (CLI)
-thanks

Yes - just like with Bintray. Take a look at the release assets:

https://github.com/jeremylong/DependencyCheck/releases/tag/v6.0.2