Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-68415

Add option to suppress fingerprinting of affected files for specific issues

    XMLWordPrintable

Details

    Description

      I am getting the following error(s) by using the OWASP scanner of warnings-ng plugin:

      00:02:12.752  [OWASP Dependency Check] [-ERROR-] Can't create fingerprints for some files:
      00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'ant-antlr-1.9.15.jar' file not found
      00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'ant-antlr-1.9.15.jar' file not found
      00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'ant-junit-1.9.15.jar' file not found
      00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'ant-junit-1.9.15.jar' file not found
      00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
      00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
      00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
      00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
      00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
      00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
      00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-common:2.6.0)' file not found
      00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-core:2.6.0)' file not found
      00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-osgi:2.6.0)' file not found
      00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-sftp:2.6.0)' file not found
      00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'cli-2.332.2.jar' file not found
      00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'commons-discovery-0.5.jar' file not found
      00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'commons-httpclient-3.1-jenkins-3.jar' file not found
      00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'commons-jelly-tags-fmt-1.0.jar' file not found
      00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'commons-jelly-tags-fmt-1.0.jar' file not found
      00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'fluent-hc-4.5.3.jar' file not found
      00:02:12.752  [OWASP Dependency Check] [-ERROR-]   ... skipped logging of 39 additional errors ...
      

      I checked the json file created by the owasp gradle plugin. First I thought the reason is the backslash in front of each file path separator:

      "filePath": "\/var\/lib\/jenkins\/.gradle\/caches\/modules-2\/files-2.1\/com.googlecode.javaewah\/JavaEWAH\/0.7.9\/eceaf316a8faf0e794296ebe158ae110c7d72a5a\/JavaEWAH-0.7.9.jar"
      

      then I corrected the leading backslash by this in my pipeline:

      def owaspJsonFile = readJSON file: "${env.STR_WORKSPACE}/build/reports/dependencyCheck/dependency-check-report.json"
      owaspJsonFile.dependencies.each {
         echo "filePath = " + it.filePath
      }
      writeJSON file: "${env.STR_WORKSPACE}/build/reports/dependencyCheck/dependency-check-report.new.json", json: owaspJsonFile
      

      now it looks like this:

      "filePath":"/var/lib/jenkins/.gradle/caches/modules-2/files-2.1/com.googlecode.javaewah/JavaEWAH/0.7.9/eceaf316a8faf0e794296ebe158ae110c7d72a5a/JavaEWAH-0.7.9.jar"
      

      but still the same error.
      The only guess of root cause is shaded jar files, e.g.:

       "fileName":"cli-2.332.2.jar (shaded: com.sun.activation:jakarta.activation:2.0.1)","filePath":"/var/lib/jenkins/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/cli/2.332.2/c7e4e582f40baa64ca87d7f96e70b3b8fcba59d1/cli-2.332.2.jar/META-INF/maven/com.sun.activation/jakarta.activation/pom.xml"
      

      Does OWASP parser support shaded jar files?

      The only workaround is, ignoring the error by settings:

      failOnError: false
      

      Attachments

        Activity

          drulli Ulli Hafner added a comment -

          Typically, warnings are tracked in source code files from build to build. Since the affected files of the OWASP parser are binary files this tracking does not make sense. It would be helpful if we can omit the tracking if the file is binary (or if the line number has not been set).

          drulli Ulli Hafner added a comment - Typically, warnings are tracked in source code files from build to build. Since the affected files of the OWASP parser are binary files this tracking does not make sense. It would be helpful if we can omit the tracking if the file is binary (or if the line number has not been set).

          People

            Unassigned Unassigned
            rf R. Fitzner
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: