Dependencycheck: 6.0.1 - RetireJS checks frequently fail due to corrupt jsrepository.json file

Created on 14 Sep 2020  路  11Comments  路  Source: jeremylong/DependencyCheck

Describe the bug
I am facing the same issue which is described in https://github.com/jeremylong/DependencyCheck/issues/2642
The above issue is closed in 6.0.1 and I am using maven dependency 6.0.1 still I am facing the same issue.

Dependency added in pom.xml


org.owasp
dependency-check-maven
6.0.1



check



Error log

[ERROR] Failed to initialize the RetireJS repo: /Users/<userid>/.m2/repository/org/owasp/dependency-check-utils/6.0.1/../../dependency-check-data/5.0/jsrepository.json appears to be malformed. Please delete the file or run the dependency-check purge command and re-try running dependency-check.

Version of dependency-check used
The problem occurs using version 6.0.1 of the maven plugin

Log file
[ERROR] Failed to initialize the RetireJS repo: /Users/<userid>/.m2/repository/org/owasp/dependency-check-utils/6.0.1/../../dependency-check-data/5.0/jsrepository.json appears to be malformed. Please delete the file or run the dependency-check purge command and re-try running dependency-check.

To Reproduce
Run the mvn clean install multiple times.

Expected behavior
Build shouldn't fail saying that jsrepository.json appears to be malformed.

Additional context
NA

bug
Source
picture narayanagowdas
👎1

Most helpful comment

I do have the same error, but for me it never worked (integrated it only today).

picture OmarHawk on 16 Sep 2020
👍2

All 11 comments

Are you saying just running the same command over and over and the error is occurring? Or is this only happening with multiple parallel scans?

jeremylong picture jeremylong on 14 Sep 2020
1

Hi @jeremylong, Thanks for the quick response.
Initially, after adding the maven plugin I was able to build and generate the report successfully. But now if I try to build a project using 'mvn clean install' it is failing with the above error.

narayanagowdas picture narayanagowdas on 14 Sep 2020
👀1

I do have the same error, but for me it never worked (integrated it only today).

OmarHawk picture OmarHawk on 16 Sep 2020
👍2

Can anyone experiencing this error please post a debug log (i.e. add --log odc.log)? I can't get this error to occur and I'm wondering what the stack trace might reveal in terms of caused by.

jeremylong picture jeremylong on 17 Sep 2020
🚀1

Much like we do with the H2 database - I just added code to copy the retireJS repo before reading it:

https://github.com/jeremylong/DependencyCheck/commit/e25667f646f25fa037154fe26c726144bd21e555#diff-de99bcc0765863385b642cb051d45cbbR205-R216

jeremylong picture jeremylong on 17 Sep 2020
🚀1

Can anyone experiencing this issue confirm if the fix in 6.0.2 resolves this issue?

jeremylong picture jeremylong on 6 Oct 2020
😕1

Hello Jeremy,
I am using version 6.0.2 and I am facing the same issue

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.0.2:check (default) on project toto: One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during analysis:
[ERROR] Failed to initialize the RetireJS repo: C:\Jojo\AppData\Local\Temp\2\dctempf364b234-9d5c-4275-83b6-cda02bd2e44f\jsrepository.json appears to be malformed. Please delete the file or run the dependency-check purge command and re-try running dependency-check.
[ERROR] Failed to request component-reports
[ERROR] -> [Help 1]
[ERROR]

wajdiBen picture wajdiBen on 15 Oct 2020
👀1

Well, deleting the file did not help, but the purge worked.

wajdiBen picture wajdiBen on 15 Oct 2020
😕1

Hello Jeremy,
I am using version 6.0.2 and I am also facing the same issue

simon-schneider-gcx picture simon-schneider-gcx on 19 Oct 2020
😕1

Can anyone facing this issue zip up their jsrepository.json (from the data directory) and share it?

jeremylong picture jeremylong on 19 Oct 2020
👍1

Hi Jeremy--

My jsrepository.json file was an empty file. But I grabbed a replacement from https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository.json then put it in the data directory. This seems to have allowed me to run without errors.

The file is empty because when I initially ran the dependency check the following error occurred retrieving the file:

[ERROR] Failed to initialize the RetireJS repo
org.owasp.dependencycheck.data.update.exception.UpdateException: Failed to initialize the RetireJS repo
        at org.owasp.dependencycheck.data.update.RetireJSDataSource.initializeRetireJsRepo(RetireJSDataSource.java:140)
        at org.owasp.dependencycheck.data.update.RetireJSDataSource.update(RetireJSDataSource.java:89)
        at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:855)
        at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:662)
        at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:592)
        at org.owasp.dependencycheck.App.runScan(App.java:254)
        at org.owasp.dependencycheck.App.run(App.java:186)
        at org.owasp.dependencycheck.App.main(App.java:81)
Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Download failed, unable to copy 'https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json' to 'C:\Users\p32661\Downloads\dependency-check\data\jsrepository.json'; Error downloading file https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json; unable to connect.
        at org.owasp.dependencycheck.utils.Downloader.fetchFile(Downloader.java:99)
        at org.owasp.dependencycheck.utils.Downloader.fetchFile(Downloader.java:74)
        at org.owasp.dependencycheck.data.update.RetireJSDataSource.initializeRetireJsRepo(RetireJSDataSource.java:138)
        ... 7 common frames omitted
Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Error downloading file https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json; unable to connect.
        at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:239)
        at org.owasp.dependencycheck.utils.HttpResourceConnection.fetch(HttpResourceConnection.java:138)
        at org.owasp.dependencycheck.utils.Downloader.fetchFile(Downloader.java:94)
        ... 9 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alert.createSSLException(Unknown Source)
        at sun.security.ssl.TransportContext.fatal(Unknown Source)
        at sun.security.ssl.TransportContext.fatal(Unknown Source)
        at sun.security.ssl.TransportContext.fatal(Unknown Source)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(Unknown Source)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(Unknown Source)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(Unknown Source)
        at sun.security.ssl.SSLHandshake.consume(Unknown Source)
        at sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
        at sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
        at sun.security.ssl.TransportContext.dispatch(Unknown Source)
        at sun.security.ssl.SSLTransport.decode(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
        at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:178)
        ... 11 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
        at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
        at sun.security.validator.Validator.validate(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
        ... 27 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
        at java.security.cert.CertPathBuilder.build(Unknown Source)
        ... 33 common frames omitted
[INFO] Begin database defrag

This issue occurs in both 5.3.2 (which used to work) and 6.0.2.

pdxhondo picture pdxhondo on 21 Oct 2020
😕1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

DanielRuf picture DanielRuf  路  16Comments
gregory-lyons picture gregory-lyons  路  21Comments
emartynov picture emartynov  路  24Comments
LeaderXFX picture LeaderXFX  路  28Comments
alexanderkjall picture alexanderkjall  路  21Comments