Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-68415

Add option to suppress fingerprinting of affected files for specific issues

XMLWordPrintable

      I am getting the following error(s) by using the OWASP scanner of warnings-ng plugin:

      00:02:12.752  [OWASP Dependency Check] [-ERROR-] Can't create fingerprints for some files:
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'ant-antlr-1.9.15.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'ant-antlr-1.9.15.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'ant-junit-1.9.15.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'ant-junit-1.9.15.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-common:2.6.0)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-core:2.6.0)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-osgi:2.6.0)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-sftp:2.6.0)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'cli-2.332.2.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'commons-discovery-0.5.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'commons-httpclient-3.1-jenkins-3.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'commons-jelly-tags-fmt-1.0.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'commons-jelly-tags-fmt-1.0.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'fluent-hc-4.5.3.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-]   ... skipped logging of 39 additional errors ...

      I checked the json file created by the owasp gradle plugin. First I thought the reason is the backslash in front of each file path separator:

      "filePath": "\/var\/lib\/jenkins\/.gradle\/caches\/modules-2\/files-2.1\/com.googlecode.javaewah\/JavaEWAH\/0.7.9\/eceaf316a8faf0e794296ebe158ae110c7d72a5a\/JavaEWAH-0.7.9.jar"

      then I corrected the leading backslash by this in my pipeline:

      def owaspJsonFile = readJSON file: "${env.STR_WORKSPACE}/build/reports/dependencyCheck/dependency-check-report.json"
owaspJsonFile.dependencies.each {
   echo "filePath = " + it.filePath
}
writeJSON file: "${env.STR_WORKSPACE}/build/reports/dependencyCheck/dependency-check-report.new.json", json: owaspJsonFile

      now it looks like this:

      "filePath":"/var/lib/jenkins/.gradle/caches/modules-2/files-2.1/com.googlecode.javaewah/JavaEWAH/0.7.9/eceaf316a8faf0e794296ebe158ae110c7d72a5a/JavaEWAH-0.7.9.jar"

      but still the same error.
      The only guess of root cause is shaded jar files, e.g.:

       "fileName":"cli-2.332.2.jar (shaded: com.sun.activation:jakarta.activation:2.0.1)","filePath":"/var/lib/jenkins/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/cli/2.332.2/c7e4e582f40baa64ca87d7f96e70b3b8fcba59d1/cli-2.332.2.jar/META-INF/maven/com.sun.activation/jakarta.activation/pom.xml"

      Does OWASP parser support shaded jar files?

      The only workaround is, ignoring the error by settings:

      failOnError: false

          [JENKINS-68415] Add option to suppress fingerprinting of affected files for specific issues

          Ulli Hafner added a comment -

          Typically, warnings are tracked in source code files from build to build. Since the affected files of the OWASP parser are binary files this tracking does not make sense. It would be helpful if we can omit the tracking if the file is binary (or if the line number has not been set).

          Ulli Hafner added a comment - Typically, warnings are tracked in source code files from build to build. Since the affected files of the OWASP parser are binary files this tracking does not make sense. It would be helpful if we can omit the tracking if the file is binary (or if the line number has not been set).

            drulli Ulli Hafner
            rf R. Fitzner
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: