Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

org.owasp:dependency-check-maven:6.2.0 DatabaseException: Unable to connect to the database #3416

Closed
k-d-w opened this issue Jun 2, 2021 · 7 comments
Closed

org.owasp:dependency-check-maven:6.2.0 DatabaseException: Unable to connect to the database #3416

k-d-w opened this issue Jun 2, 2021 · 7 comments
Milestone
6.2.1

Comments

@k-d-w
Copy link

k-d-w commented Jun 2, 2021

Maven release with embedded dependency check fails after upgrading the dependency-check plugin.

I have bumped the dependency-check-maven plugin from version 5.3.2 to 6.2.0
I have also purged the DB (internal H2) as stated in the release notes.
I have executed both:

  • org.owasp:dependency-check-maven:6.2.0:purge
  • org.owasp:dependency-check-maven:5.3.2:purge
    I also tried deleting the data directly on my Jenkins server at
  • .m2/repository/org/owasp/dependency-check-data/4.0
  • .m2/repository/org/owasp/dependency-check-data/5.0

My maven release step keeps failing with

16:23:36  [INFO] [INFO] Generating "dependency-check:aggregate" report --- dependency-check-maven:6.2.0:aggregate
16:23:37  [INFO] [INFO] ------------------------------------------------------------------------
16:23:37  [INFO] [INFO] BUILD FAILURE
16:23:37  [INFO] [INFO] ------------------------------------------------------------------------
16:23:37  [INFO] [INFO] Total time:  15.800 s
16:23:37  [INFO] [INFO] Finished at: 2021-06-02T14:23:37Z
16:23:37  [INFO] [INFO] ------------------------------------------------------------------------
16:23:37  [INFO] [ERROR] Failed to execute goal org.apache.maven.plugins:maven-site-plugin:3.9.1:site (default-site) on project abc-parent-aws: Error generating dependency-check-maven:6.2.0:aggregate report: Fatal exception(s) analyzing abc-parent-aws: One or more exceptions occurred during analysis:
16:23:37  [INFO] [ERROR] 	DatabaseException: Unable to connect to the database - if this error persists it may be due to a corrupt database. Consider running `purge` to delete the existing database
16:23:37  [INFO] [ERROR] 		caused by DatabaseException: Unable to connect to the database
16:23:37  [INFO] [ERROR] 		caused by SQLException: No suitable driver found for jdbc:h2:file:/var/jenkins_home/.m2/repository/org/owasp/dependency-check-data/5.0/odc;AUTOCOMMIT=ON;CACHE_SIZE=65536;RETENTION_TIME=1000;MAX_COMPACT_TIME=10000;

I am executing a mvn clean release:clean release:prepare release:perform
I see a warning during the mvn release:prepare step:

16:20:07  [INFO] [INFO] --- dependency-check-maven:6.2.0:check (default) @ abc-parent-aws ---
16:20:10  [INFO] [INFO] Checking for updates
16:20:18  [INFO] [INFO] NVD CVE requires several updates; this could take a couple of minutes.
16:20:18  [INFO] [INFO] Download Started for NVD CVE - 2002
16:20:18  [INFO] [INFO] Download Started for NVD CVE - 2003
16:20:18  [INFO] [INFO] Download Complete for NVD CVE - 2003  (659 ms)
16:20:18  [INFO] [INFO] Processing Started for NVD CVE - 2003
16:20:18  [INFO] [INFO] Download Started for NVD CVE - 2004
16:20:18  [INFO] [INFO] Download Complete for NVD CVE - 2002  (853 ms)
16:20:18  [INFO] [INFO] Download Started for NVD CVE - 2005
16:20:18  [INFO] [INFO] Processing Started for NVD CVE - 2002
16:20:18  [INFO] WARNING: An illegal reflective access operation has occurred
16:20:18  [INFO] WARNING: Illegal reflective access by com.fasterxml.jackson.module.afterburner.util.MyClassLoader (file:/var/jenkins_home/.m2/repository/com/fasterxml/jackson/module/jackson-module-afterburner/2.12.3/jackson-module-afterburner-2.12.3.jar) to method java.lang.ClassLoader.findLoadedClass(java.lang.String)
16:20:18  [INFO] WARNING: Please consider reporting this to the maintainers of com.fasterxml.jackson.module.afterburner.util.MyClassLoader
16:20:18  [INFO] WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
16:20:18  [INFO] WARNING: All illegal access operations will be denied in a future release
16:20:19  [INFO] [INFO] Download Complete for NVD CVE - 2004  (755 ms)
.....


16:22:25  [INFO] [INFO] Begin database maintenance
16:22:47  [INFO] [INFO] Updated the CPE ecosystem on 118485 NVD records
16:22:47  [INFO] [INFO] Removed the CPE ecosystem on 3473 NVD records
16:22:49  [INFO] [INFO] Cleaned up 2 orphaned NVD records
16:22:49  [INFO] [INFO] End database maintenance (24012 ms)
16:22:49  [INFO] [INFO] Begin database defrag
16:22:54  [INFO] [INFO] End database defrag (4534 ms)
16:22:54  [INFO] [INFO] Check for updates complete (163325 ms)

It then proceeds running a succesfull analysis

16:22:54  [INFO] [INFO] Analysis Started
16:22:54  [INFO] [INFO] Finished File Name Analyzer (0 seconds)
16:22:54  [INFO] [INFO] Finished Dependency Merging Analyzer (0 seconds)
16:22:54  [INFO] [INFO] Finished Version Filter Analyzer (0 seconds)
16:22:54  [INFO] [INFO] Finished Hint Analyzer (0 seconds)
16:22:58  [INFO] [INFO] Created CPE Index (3 seconds)
16:22:58  [INFO] [INFO] Finished CPE Analyzer (4 seconds)
16:22:58  [INFO] [INFO] Finished False Positive Analyzer (0 seconds)
16:22:58  [INFO] [INFO] Finished NVD CVE Analyzer (0 seconds)
16:22:58  [INFO] [INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
16:22:58  [INFO] [INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
16:22:58  [INFO] [INFO] Finished Dependency Bundling Analyzer (0 seconds)
16:22:58  [INFO] [INFO] Analysis Complete (4 seconds)
16:22:58  [INFO] [INFO] Writing report to: /var/jenkins_home/workspace/abc-parent-aws-production-pipeline/target/dependency-check-report.html
16:22:59  [INFO] [INFO] ------------------------------------------------------------------------
16:22:59  [INFO] [INFO] BUILD SUCCESS
16:22:59  [INFO] [INFO] ------------------------------------------------------------------------

But in the subsequent mvn release:performstep, the site generation fails with the error listed in the beginning of this Issue.

16:23:34  [INFO] [INFO] --- maven-site-plugin:3.9.1:site (default-site) @ abc-parent-aws ---
16:23:36  [INFO] [INFO] configuring report plugin org.owasp:dependency-check-maven:6.2.0
16:23:36  [INFO] [INFO] 1 report configured for dependency-check-maven:6.2.0: aggregate
16:23:36  [INFO] [INFO] configuring report plugin org.apache.maven.plugins:maven-project-info-reports-plugin:3.1.1
16:23:36  [INFO] [INFO] 15 reports detected for maven-project-info-reports-plugin:3.1.1: ci-management, dependencies, dependency-info, dependency-management, distribution-management, index, issue-management, licenses, mailing-lists, modules, plugin-management, plugins, scm, summary, team
16:23:36  [INFO] [INFO] Rendering site with default locale English (en)
16:23:36  [INFO] [INFO] Rendering content with org.apache.maven.skins:maven-default-skin:jar:1.3 skin.
16:23:36  [INFO] [INFO] Generating "dependency-check:aggregate" report --- dependency-check-maven:6.2.0:aggregate
16:23:37  [INFO] [INFO] ------------------------------------------------------------------------
16:23:37  [INFO] [INFO] BUILD FAILURE
@k-d-w
Copy link
Author

k-d-w commented Jun 2, 2021

For reference, the dependency-checker is triggered by a profile

<profile>
            <id>owasp-dep-check</id>
            <reporting>
                <plugins>
                    <plugin>
                        <groupId>org.owasp</groupId>
                        <artifactId>dependency-check-maven</artifactId>
                        <reportSets>
                            <reportSet>
                                <reports>
                                    <report>aggregate</report>
                                </reports>
                            </reportSet>
                        </reportSets>
                    </plugin>
                </plugins>
            </reporting>

            <build>
                <plugins>
                    <plugin>
                        <groupId>org.owasp</groupId>
                        <artifactId>dependency-check-maven</artifactId>
                        <executions>
                            <execution>
                                <goals>
                                    <goal>check</goal>
                                </goals>
                            </execution>
                        </executions>
                    </plugin>
                </plugins>
            </build>
        </profile>

@albuch
Copy link
Contributor

albuch commented Jun 2, 2021

I'm seeing the same in our tests for the sbt plugin. Could it be this change that removed the default driver name for h2?

DependencyCheck/core/src/main/resources/dependencycheck.properties

Line 47 in 8a6d7d8

#data.driver_name=org.h2.Driver

@mprins mprins mentioned this issue Jun 3, 2021
Closed
@jeremylong
Copy link
Owner

@albuch it's always possible - but in reality using a JDBC4 compliant driver should not require calling class.forName("org.h2.Driver"). https://mkyong.com/jdbc/jdbc-class-forname-is-no-longer-required/

jeremylong added a commit that referenced this issue Jun 4, 2021
@jeremylong
re-add jdbc registration on all paths per #3416
a671f2c
@jeremylong
Copy link
Owner

I figured out one thing that might be causing this. I re-added the driver registration on all paths. Apparently, this is done during the update phase - but was not being used in the analysis phase.

@jeremylong jeremylong mentioned this issue Jun 4, 2021
Closed
@VolhaRS
Copy link

VolhaRS commented Jun 4, 2021

We have the same issue. We use the last version of the plugin and have the same error at any time.

@jeremylong
Copy link
Owner

@albuch any chance you can test with the latest snapshot? I am unable to reproduce the issue locally or on the CI...

@albuch albuch mentioned this issue Jun 5, 2021
Closed
@albuch
Copy link
Contributor

albuch commented Jun 5, 2021

@jeremylong no more errors with v6.2.1-SNAPSHOT, my integration tests are working again.

@jeremylong jeremylong added this to the 6.2.1 milestone Jun 8, 2021
This was referenced Jun 8, 2021
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Closed
Merged
Merged
Merged
Merged
Merged
Open
Closed
@renovate renovate bot mentioned this issue Jun 16, 2021
Closed
1 task
@renovate renovate bot mentioned this issue Aug 27, 2021
Open
1 task
@i333055 i333055 mentioned this issue Sep 30, 2021
Open
1 task
@mend-for-github-com mend-for-github-com bot mentioned this issue Nov 23, 2021
Open
1 task
@mend-for-github-com mend-for-github-com bot mentioned this issue Dec 3, 2021
Open
1 task
@renovate renovate bot mentioned this issue Dec 11, 2021
Merged
1 task
@renovate renovate bot mentioned this issue Jan 10, 2022
Merged
1 task
@renovate renovate bot mentioned this issue Feb 28, 2022
Merged
1 task
This was referenced Mar 26, 2022
Closed
Open
Closed
@mend-for-github-com mend-for-github-com bot mentioned this issue Apr 11, 2022
Open
1 task
This was referenced Apr 12, 2022
Closed
Closed
Closed
Open
This was referenced Apr 14, 2022
Open
Open
@i333055 i333055 mentioned this issue Jun 23, 2022
Closed
1 task
@i333055 i333055 mentioned this issue Jan 15, 2023
Closed
1 task
@i333055 i333055 mentioned this issue Nov 22, 2023
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
6.2.1
Development

No branches or pull requests
4 participants
@jeremylong @albuch @k-d-w @VolhaRS