I try to use dependency-check-maven in every test build job in Jenkins:
mvn org.owasp:dependency-check-maven:6.2.2:aggregate -DskipSystemScope=true -Dformat=ALL -DprettyPrint=true -DcentralAnalyzerEnabled=false -DassemblyAnalyzerEnabled=false -DyarnAuditAnalyzerEnabled=false -DbundleAuditAnalyzerEnabled=false -DversionCheckEnabled=true
Unfortunately I have a problem with few projects and Node Audit Analyzer, which checks package-lock.json files.
During running Maven's plugin there's a warning in log:
[WARNING] An error occurred while analyzing '/var/lib/jenkins/workspace/testbuild/project/module-web/src/main/resources/dev/package-lock.json' (Node Audit Analyzer).
which cause final error:
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.2.2:aggregate (default-cli) on project project: One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during analysis:
[ERROR] AnalysisException: Failed to read results from the NPM Audit API (NodeAuditAnalyzer); the analyzer is being disabled and may result in false negatives.
[ERROR] caused by SocketException: Connection reset
[ERROR] AnalysisException: Failed to read results from the NPM Audit API (NodeAuditAnalyzer); the analyzer is being disabled and may result in false negatives.
[ERROR] caused by IOException: Error writing to server
In most problematic projects there's only one error: SocketException: Connection reset OR IOException: Error writing to server, but sometimes there are both of them in the same build log.
To use this plugin I added parameter -DnodeAuditAnalyzerEnabled=false but it's not a solution I want to accept.
I tried to execute Maven in debug mode. Here's a stacktrace with mentioned error:
[DEBUG] Error reading dependency or connecting to NPM Audit API
java.io.IOException: Error writing to server
at sun.net.www.protocol.http.HttpURLConnection.writeRequests (HttpURLConnection.java:699)
at sun.net.www.protocol.http.HttpURLConnection.writeRequests (HttpURLConnection.java:711)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0 (HttpURLConnection.java:1585)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream (HttpURLConnection.java:1492)
at java.net.HttpURLConnection.getResponseCode (HttpURLConnection.java:480)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode (HttpsURLConnectionImpl.java:347)
at org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage (NodeAuditSearch.java:176)
at org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage (NodeAuditSearch.java:133)
at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzePackage (NodeAuditAnalyzer.java:188)
at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzeDependency (NodeAuditAnalyzer.java:145)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run (FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:624)
at java.lang.Thread.run (Thread.java:748)
[WARNING] An error occurred while analyzing '/var/lib/jenkins/workspace/testbuild/project/module-web/src/main/resources/dev/package-lock.json' (Node Audit Analyzer).
[DEBUG]
org.owasp.dependencycheck.analyzer.exception.AnalysisException: Failed to read results from the NPM Audit API (NodeAuditAnalyzer); the analyzer is being disabled and may result in false negatives.
at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzePackage (NodeAuditAnalyzer.java:197)
at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzeDependency (NodeAuditAnalyzer.java:145)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run (FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:624)
at java.lang.Thread.run (Thread.java:748)
Caused by: java.io.IOException: Error writing to server
at sun.net.www.protocol.http.HttpURLConnection.writeRequests (HttpURLConnection.java:699)
at sun.net.www.protocol.http.HttpURLConnection.writeRequests (HttpURLConnection.java:711)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0 (HttpURLConnection.java:1585)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream (HttpURLConnection.java:1492)
at java.net.HttpURLConnection.getResponseCode (HttpURLConnection.java:480)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode (HttpsURLConnectionImpl.java:347)
at org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage (NodeAuditSearch.java:176)
at org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage (NodeAuditSearch.java:133)
at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzePackage (NodeAuditAnalyzer.java:188)
at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzeDependency (NodeAuditAnalyzer.java:145)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run (FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:624)
at java.lang.Thread.run (Thread.java:748)
[INFO] Finished Node Audit Analyzer (31 seconds)
In the same log in debug mode I found URL used by the anylyzer - https://registry.npmjs.org/-/npm/v1/security/audits Maybe this service has some limits?
I would be grateful for any help.
I was getting a similar error:
NodeAuditAnalyzer failed on ...\package-lock.json
An error occurred while analyzing '...\package-lock.json' (Node Audit Analyzer).
Deleting package-lock.json and the node_modules directory then running npm install to recreate fixed the issue.
Related
When I try to build Flutter app for Android release, I get the following error:
FAILURE: Build failed with an exception.
* What went wrong:
Execution failed for task ':app:signReleaseBundle'.
> A failure occurred while executing com.android.build.gradle.internal.tasks.Workers$ActionFacade
> Failed to read key androiddebugkey from store "/Users/builder/.android/debug.keystore": Integrity check failed: java.security.NoSuchAlgorithmException: Algorithm HmacPBESHA256 not available
I'm trying to build a package for ArchLinux with the following command:
extra-x86_64-build -cr archbuild
It fails with the following error:
Dropping capabilities failed: Operation not permitted
Child died too early.
==> ERROR: Aborting...
I have no idea why is it failing.
Update: Running as root or a normal user makes no difference, both return the same error.
redissonClient.getNodesGroup().pingAll()
Returning true but still getting the exception ->
[10-09-2018 21:00:05.337] [redisson-netty-2-6]
[ERROR]
DNSMonitor$1$1:98 cr_id= parent_reqid= reqid=
Unable to resolve
xxxx.redis.cache.windows.net java.net.UnknownHostException: failed to
resolve 'xxxx.redis.cache.windows.net' after 4 queries
Fixed in 2.15.1 / 3.10.1 versions
I am getting miss-jar file errors with .examples/pom.xml. Below is the error message. Anyone knows how to resolve this? Thanks a lot.
[ERROR] Failed to execute goal on project ignite-examples: Could not resolve dependencies for project org.apache.ignite:ignite-examples:jar:2.0.0: Failure to find org.apache.ignite:ignite-apache-license-gen:jar:2.0.0 in https://repo.maven.apache.org/maven2 was cached in the local repository, resolution will not be reattempted until the update interval of central has elapsed or updates are forced -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionException
Try to build project with -am option, -am builds projects that your project depends on
I added the following to build.sbt (doing programmatic login with embedded GlassFish for unit tests):
libraryDependencies += "org.glassfish.main.security" % "security-all" % "4.0"
However sbt seems to try to fetch the wrong URL. It tries to get (note the additional glassfish- in the extension):
http://repo1.maven.org/maven2/org/glassfish/main/security/security-ee/4.0/security-ee-4.0.glassfish-jar
But the actual jar file is at:
http://repo1.maven.org/maven2/org/glassfish/main/security/security-ee/4.0/security-ee-4.0.jar
So instead of using .jar as the extension it appears to be using .glassfish-jar for some reason and am facing the following download failed errors:
[trace] Stack trace suppressed: run last *:update for the full output.
[error] (*:update) sbt.ResolveException: download failed: org.glassfish.main.security#security;4.0!security.glassfish-jar
[error] download failed: org.glassfish.main.admin#config-api;4.0!config-api.glassfish-jar
[error] download failed: org.glassfish.main.common#common-util;4.0!common-util.glassfish-jar
[error] download failed: org.glassfish.main.common#glassfish-api;4.0!glassfish-api.glassfish-jar
[error] download failed: org.glassfish.main.common#scattered-archive-api;4.0!scattered-archive-api.glassfish-jar
[error] download failed: org.glassfish.main.security#ssl-impl;4.0!ssl-impl.glassfish-jar
[error] download failed: org.glassfish.main.common#internal-api;4.0!internal-api.glassfish-jar
[error] download failed: org.glassfish.main.deployment#deployment-common;4.0!deployment-common.glassfish-jar
[error] download failed: org.glassfish.main.security#security-ee;4.0!security-ee.glassfish-jar
[error] download failed: org.glassfish.main.common#glassfish-ee-api;4.0!glassfish-ee-api.glassfish-jar
[error] download failed: org.glassfish.main.deployment#dol;4.0!dol.glassfish-jar
[error] download failed: org.glassfish.main.common#annotation-framework;4.0!annotation-framework.glassfish-jar
[error] download failed: org.glassfish.main.security#jaspic.provider.framework;4.0!jaspic.provider.framework.glassfish-jar
[error] download failed: org.glassfish.main.ejb#ejb-internal-api;4.0!ejb-internal-api.glassfish-jar
[error] download failed: org.glassfish.main.connectors#connectors-internal-api;4.0!connectors-internal-api.glassfish-jar
[error] download failed: org.glassfish.main.transaction#transaction-internal-api;4.0!transaction-internal-api.glassfish-jar
[error] download failed: org.glassfish.main.admin#admin-util;4.0!admin-util.glassfish-jar
[error] download failed: org.glassfish.main.security#security-services;4.0!security-services.glassfish-jar
[error] download failed: org.glassfish.main.resources#resources-connector;4.0!resources-connector.glassfish-jar
[error] download failed: org.glassfish.main.resourcebase.resources#nucleus-resources;4.0!nucleus-resources.glassfish-jar
[error] download failed: org.glassfish.main.security#inmemory.jacc.provider;4.0!inmemory.jacc.provider.glassfish-jar
I have no idea why or even where to look. I would think it would be something with the pom file, but Netbeans (probably the Maven embedded in Netbeans) did not have any trouble with the same pom.
Also, all the "transitive" jars end up have the wrong URL as well, so they all fail.
I worked around it with this:
libraryDependencies += "org.glassfish.main.security" % "security-ee" % "4.0" from "http://repo1.maven.org/maven2/org/glassfish/main/security/security-ee/4.0/security-ee-4.0.jar" intransitive()
but I would rather not have to do that hoping there is a way to do this properly. My searches for a real solution to this came up empty. Please advise.
The reason for the behaviour is that the module defines the packaging glassfish-jar for some of the transitive dependencies - see inmemory.jacc.provider-4.0.pom and security-4.0.pom:
<packaging>glassfish-jar</packaging>
Run sbt update in the project and open target/resolution-cache/reports/default-glassfish-security_2.10-compile.xml for the resolution report for the Compile (default) configuration.
Use sbt-dependency-graph to visualize your project's dependencies.