Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

6.0.1 - RetireJS checks frequently fail due to corrupt jsrepository.json file #2810

Closed
narayanagowdas opened this issue Sep 14, 2020 · 11 comments
Closed

6.0.1 - RetireJS checks frequently fail due to corrupt jsrepository.json file #2810

narayanagowdas opened this issue Sep 14, 2020 · 11 comments
Assignees
@jeremylong
Labels
bug
Milestone
6.0.3

Comments

@narayanagowdas
Copy link

Describe the bug
I am facing the same issue which is described in #2642
The above issue is closed in 6.0.1 and I am using maven dependency 6.0.1 still I am facing the same issue.

Dependency added in pom.xml

org.owasp dependency-check-maven 6.0.1 check

Error log

[ERROR] Failed to initialize the RetireJS repo: /Users/<userid>/.m2/repository/org/owasp/dependency-check-utils/6.0.1/../../dependency-check-data/5.0/jsrepository.json appears to be malformed. Please delete the file or run the dependency-check purge command and re-try running dependency-check.

Version of dependency-check used
The problem occurs using version 6.0.1 of the maven plugin

Log file
[ERROR] Failed to initialize the RetireJS repo: /Users/<userid>/.m2/repository/org/owasp/dependency-check-utils/6.0.1/../../dependency-check-data/5.0/jsrepository.json appears to be malformed. Please delete the file or run the dependency-check purge command and re-try running dependency-check.

To Reproduce
Run the mvn clean install multiple times.

Expected behavior
Build shouldn't fail saying that jsrepository.json appears to be malformed.

Additional context
NA
@jeremylong
Copy link
Owner

Are you saying just running the same command over and over and the error is occurring? Or is this only happening with multiple parallel scans?

@narayanagowdas
Copy link
Author

Hi @jeremylong, Thanks for the quick response.
Initially, after adding the maven plugin I was able to build and generate the report successfully. But now if I try to build a project using 'mvn clean install' it is failing with the above error.

@OmarHawk
Copy link

I do have the same error, but for me it never worked (integrated it only today).

@jeremylong
Copy link
Owner

Can anyone experiencing this error please post a debug log (i.e. add --log odc.log)? I can't get this error to occur and I'm wondering what the stack trace might reveal in terms of caused by.

@jeremylong
Copy link
Owner

Much like we do with the H2 database - I just added code to copy the retireJS repo before reading it:

e25667f#diff-de99bcc0765863385b642cb051d45cbbR205-R216

@jeremylong jeremylong added this to the 6.0.2 milestone Sep 21, 2020
@jeremylong jeremylong self-assigned this Sep 24, 2020
@jeremylong
Copy link
Owner

Can anyone experiencing this issue confirm if the fix in 6.0.2 resolves this issue?

@wajdiBen
Copy link

Hello Jeremy,
I am using version 6.0.2 and I am facing the same issue

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.0.2:check (default) on project toto: One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during analysis:
[ERROR] Failed to initialize the RetireJS repo: C:\Jojo\AppData\Local\Temp\2\dctempf364b234-9d5c-4275-83b6-cda02bd2e44f\jsrepository.json appears to be malformed. Please delete the file or run the dependency-check purge command and re-try running dependency-check.
[ERROR] Failed to request component-reports
[ERROR] -> [Help 1]
[ERROR]

@wajdiBen
Copy link

Well, deleting the file did not help, but the purge worked.

@ghost
Copy link

ghost commented Oct 19, 2020

Hello Jeremy,
I am using version 6.0.2 and I am also facing the same issue

@jeremylong
Copy link
Owner

Can anyone facing this issue zip up their jsrepository.json (from the data directory) and share it?

@jeremylong jeremylong removed this from the 6.0.2 milestone Oct 19, 2020
@pdxhondo
Copy link

Hi Jeremy--

My jsrepository.json file was an empty file. But I grabbed a replacement from https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository.json then put it in the data directory. This seems to have allowed me to run without errors.

The file is empty because when I initially ran the dependency check the following error occurred retrieving the file:

[ERROR] Failed to initialize the RetireJS repo
org.owasp.dependencycheck.data.update.exception.UpdateException: Failed to initialize the RetireJS repo
        at org.owasp.dependencycheck.data.update.RetireJSDataSource.initializeRetireJsRepo(RetireJSDataSource.java:140)
        at org.owasp.dependencycheck.data.update.RetireJSDataSource.update(RetireJSDataSource.java:89)
        at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:855)
        at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:662)
        at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:592)
        at org.owasp.dependencycheck.App.runScan(App.java:254)
        at org.owasp.dependencycheck.App.run(App.java:186)
        at org.owasp.dependencycheck.App.main(App.java:81)
Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Download failed, unable to copy 'https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json' to 'C:\Users\p32661\Downloads\dependency-check\data\jsrepository.json'; Error downloading file https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json; unable to connect.
        at org.owasp.dependencycheck.utils.Downloader.fetchFile(Downloader.java:99)
        at org.owasp.dependencycheck.utils.Downloader.fetchFile(Downloader.java:74)
        at org.owasp.dependencycheck.data.update.RetireJSDataSource.initializeRetireJsRepo(RetireJSDataSource.java:138)
        ... 7 common frames omitted
Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Error downloading file https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json; unable to connect.
        at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:239)
        at org.owasp.dependencycheck.utils.HttpResourceConnection.fetch(HttpResourceConnection.java:138)
        at org.owasp.dependencycheck.utils.Downloader.fetchFile(Downloader.java:94)
        ... 9 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alert.createSSLException(Unknown Source)
        at sun.security.ssl.TransportContext.fatal(Unknown Source)
        at sun.security.ssl.TransportContext.fatal(Unknown Source)
        at sun.security.ssl.TransportContext.fatal(Unknown Source)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(Unknown Source)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(Unknown Source)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(Unknown Source)
        at sun.security.ssl.SSLHandshake.consume(Unknown Source)
        at sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
        at sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
        at sun.security.ssl.TransportContext.dispatch(Unknown Source)
        at sun.security.ssl.SSLTransport.decode(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
        at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:178)
        ... 11 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
        at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
        at sun.security.validator.Validator.validate(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
        ... 27 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
        at java.security.cert.CertPathBuilder.build(Unknown Source)
        ... 33 common frames omitted
[INFO] Begin database defrag

This issue occurs in both 5.3.2 (which used to work) and 6.0.2.

jeremylong added a commit that referenced this issue Nov 2, 2020
@jeremylong
force re-download of the retire JS repo if it is missing or empty per #…
72beb3e 
…2810
@jeremylong jeremylong added this to the 6.0.3 milestone Nov 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jeremylong jeremylong

Labels
bug
Projects
None yet
Milestone
6.0.3
Development

No branches or pull requests
5 participants
@jeremylong @OmarHawk @narayanagowdas @wajdiBen @pdxhondo