Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-68415

Add option to suppress fingerprinting of affected files for specific issues

XMLWordPrintable

      I am getting the following error(s) by using the OWASP scanner of warnings-ng plugin:

      00:02:12.752  [OWASP Dependency Check] [-ERROR-] Can't create fingerprints for some files:
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'ant-antlr-1.9.15.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'ant-antlr-1.9.15.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'ant-junit-1.9.15.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'ant-junit-1.9.15.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-common:2.6.0)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-core:2.6.0)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-osgi:2.6.0)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-sftp:2.6.0)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'cli-2.332.2.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'commons-discovery-0.5.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'commons-httpclient-3.1-jenkins-3.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'commons-jelly-tags-fmt-1.0.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'commons-jelly-tags-fmt-1.0.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'fluent-hc-4.5.3.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-]   ... skipped logging of 39 additional errors ...

      I checked the json file created by the owasp gradle plugin. First I thought the reason is the backslash in front of each file path separator:

      "filePath": "\/var\/lib\/jenkins\/.gradle\/caches\/modules-2\/files-2.1\/com.googlecode.javaewah\/JavaEWAH\/0.7.9\/eceaf316a8faf0e794296ebe158ae110c7d72a5a\/JavaEWAH-0.7.9.jar"

      then I corrected the leading backslash by this in my pipeline:

      def owaspJsonFile = readJSON file: "${env.STR_WORKSPACE}/build/reports/dependencyCheck/dependency-check-report.json"
owaspJsonFile.dependencies.each {
   echo "filePath = " + it.filePath
}
writeJSON file: "${env.STR_WORKSPACE}/build/reports/dependencyCheck/dependency-check-report.new.json", json: owaspJsonFile

      now it looks like this:

      "filePath":"/var/lib/jenkins/.gradle/caches/modules-2/files-2.1/com.googlecode.javaewah/JavaEWAH/0.7.9/eceaf316a8faf0e794296ebe158ae110c7d72a5a/JavaEWAH-0.7.9.jar"

      but still the same error.
      The only guess of root cause is shaded jar files, e.g.:

       "fileName":"cli-2.332.2.jar (shaded: com.sun.activation:jakarta.activation:2.0.1)","filePath":"/var/lib/jenkins/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/cli/2.332.2/c7e4e582f40baa64ca87d7f96e70b3b8fcba59d1/cli-2.332.2.jar/META-INF/maven/com.sun.activation/jakarta.activation/pom.xml"

      Does OWASP parser support shaded jar files?

      The only workaround is, ignoring the error by settings:

      failOnError: false

            drulli Ulli Hafner
            rf R. Fitzner
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: