-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DatabaseException: Error updating 'CVE-2020-36569' #5220
Comments
Same issue here. The problem is that the maximum length of the column is 60 characters whereas the To fix this a schema change similar to this one is needed:
|
Raised a PR which could be a potential fix for the issue : #5221 |
Hello @srini00088, I reviewed you PR I believe that should solve the issue. But I have a question if I'm using 6.0.2 version. Will the merging of these PR will solve the same problem in 6.0.2 version as well? |
will this be released after merging? this currently breaks all our builds an we are wondering if we need to disable CVE scanning in general or if it is feasible to wait? (and btw kudos @srini00088 for the speed of the fix, when I discovered the bug this morning the PR was already underway) |
same here, all the pipelines are failing because of it, its trying to insert long value into varchar(60). |
Looking at CVE-2020-36569, it seems that when they modified it on 2023-01-05, they bungled adding the end version. The value is apparently the concatenation of the start and end versions, which makes it so long. |
I think NVD is in error with the version string.
|
@karstenspang @mlemmens I think you folks are right, the issue could be with CVE database, I have also reported an issue with https://cveform.mitre.org/ |
Short question: I'm using "dependency-check-maven" ... is there a way to say "ignore failed/crashed" plugin? |
Good idea. But I'm searching for something like "in case of errors (any), just show it but continue the build". |
the same question, I'm using "dependency-check-gradle" ... is there a way to say "ignore failed/crashed" plugin? or how to avoid in further this issue? |
I got nothing on this, we have had to temporarily turn off the plugin on all our pipelines until there is a fix |
Isn't it good to have some automatic test before changing the CVE database and breaking thousands of projects all over the world? I know it's a question more to the direction of CVE, but anyway, this behaviour is to be avoided. |
Hello ! same here ! |
Same problem here, this bug breaks our build pipelines. So a fix asap is highly appreciated. |
Same problem here
|
Maybe it is worth to add a protection for such kind of problems in the future? |
The protection is not to make false assumptions about the names/ids one doesnt' control. |
Same here, pipelines currently unusable, fails when updating CVE database with above mentioned error. |
I hit the same problem today. Most of the information is here so I won't repeat it I just want to add that I met this issue on 7.1.3 version then upgraded to latest 7.4.3 and the problem persists. |
Looks like a corrupted H2 database to me at first sight. You could try a one-off build that uses |
FWIW |
That worked. |
I think the problem with Gradle was solved, I'm doing analysis of different versions and it gives me successful results. |
@Dhanxy Likely multiple versions work (as the database version is sufficiently compatible), but you will need 7.4.4 to run the upgrade-script and your safest bet would be to be in-sync on the version used). |
i think this ticket can be closed |
Hi @srini00088, I looked at your #5221. With my limited knowledge of this, I have a comment about the fix.
|
A bug in OWASP DependencyCheck <7.4.4 causes exceptions when loading certain poorly formed CVE definitions. see: jeremylong/DependencyCheck#5220 Update the DependencyCheck version to 7.4.4 which fixes this issue.
After purging,I don't face above issue.But it got stuck for long time ( there's no issue with internet connection ).I checked this issue #4163 . But there was no response .Any help on that.( Just running the tool shouldn't be this hard I guess ? ).Thanks so much for all the help so far . @aikebah |
|
Report is generated now . But atleast we could show that report is being generated to avoid confusion. |
I just wanted to thank from me and my team for the quick fix and all the work, that has been put in this project! |
Hi All. Thanks for all the work you're all putting in.
I'm about to back out all dependency scanning, but before I do, has anyone any suggestions? We use docker containers so I thought it may be docker caching, but I've clearer the cache. |
@marcochristoforou you must be upgrade to |
indicates that your project is configured to run version 7.1.0 of ODC maven plugin. It's likely configured in the pom.xml of that project (or one of its parents) to take version 7.1.0 Only using version 7.4.4 you will succeed to run the update. Depending on how your CI infra is organized you might be able to get it rolling by running a one-off job that just runs |
Sorry all (@aikebah), yes, just sorted that. Be too keen to post, feeing left out I guess :D |
On Java9 it raises the |
This version should fix jeremylong/DependencyCheck#5220
* ST-947 Replace Private Law references Replace references to Private Law jurisdiction/case types with ones for CIC. Change local variable names, files and test cases accordingly. * ST-947 Update owasp version * ST-947 Remove redundant roles * ST-947 Bump owawp version This version should fix jeremylong/DependencyCheck#5220 * ST-947 Set autoUpdate to true * ST-947 Match case api dependencycheck version * ST-947 Rollback dependencycheck To avoid having to update database after owasp bug/issue. * ST-947 Bump snakeyaml * ST-947 Bump snakeyaml * ST-947 Suppress two CVEs snakeyaml is wrongly identified as being vulnerable to these two CVEs jeremylong/DependencyCheck#5233 * ST-947 Fix jurisdiction name too long
Describe the bug
classpath 'com.android.tools.build:gradle:4.1.1'
gradle version is: 7.0.2
after run ./gradlew dependencyCheckAnalyze
in logs falls down, this error:
Version of dependency-check used
classpath 'org.owasp:dependency-check-gradle:7.2.1'
classpath 'org.owasp:dependency-check-gradle:7.4.3'
Log file
When reporting errors, 99% of the time log file output is required. Please post the log file as a gist and provide a link in the new issue.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
task started and scan completed
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: