Details
-
Type:
Bug
-
Status: Closed (View Workflow)
-
Priority:
Blocker
-
Resolution: Fixed
-
Component/s: dependency-check-jenkins-plugin
-
Labels:
-
Environment:(EndUser private FaaS).
Jenkins ver. 2.46.3 (Java 1.8.0_111, os.arch amd64, os.name Linux, os.version 3.11.0-19-generic)
OWASP Dependency-Check Plugin v2.1.0
-
Similar Issues:
Description
Since I come back from holidays, I got the following error on my job:
16:30:15 [DependencyCheck] One or more exceptions were thrown while executing Dependency-Check
16:30:15 [DependencyCheck] Exception Caught: org.owasp.dependencycheck.analyzer.exception.AnalysisException
16:30:15 [DependencyCheck] Cause: connect timed out
16:30:15 [DependencyCheck] Message: connect timed out
Before the holidays, plugin version was OWASP Dependency-Check Plugin v1.4.5 and now it's OWASP Dependency-Check Plugin v2.1.0 .
We have no idea on which connection is attempted to result this exception.
Does exist a way to make the plugin more verbose ? test the connection ?
Thanks
Attachments
Activity
removing experimental "Node Security Platform analyzer" or avoid bypassing proxy are short term workarounds (for enduser that rely on proxy).
A solution has been found on our side by the FaaS team.
Plugin were configured (Jenkins admin) to bypass proxy: "OWASP Dependency-Check" / "Bypass proxy to download NVD data feeds" checked.
This because CVE endpoints are on our intranet and proxy must not be used in our case.
The issue was for the "Node Security Platform analyzer" ("OWASP Dependency-Check: Experimental Analyzers").
Seems that this analyzer have to access to "nodesecurity.io" but as "Bypass" proxy options is enabled, this result in connect timeout. Seems that nonProxyHosts are not well handled by this library. That point should be tested and confirmed by DependencyCheck team.
Regards