[JENKINS-68415] Add option to suppress fingerprinting of affected files for specific issues

Type: Improvement
Resolution: Fixed
Priority: Minor
Component/s: analysis-model
Labels:
Environment:
Jenkins 2.332.2
warnings-ng 9.11.1
gradle 7.4.2
OWASP dependency-check-gradle plugin 7.1.0.1

Similar Issues:
Powered by SuggestiMate

Show
Released As:
https://github.com/jenkinsci/warnings-ng-plugin/releases/tag/v11.0.0

I am getting the following error(s) by using the OWASP scanner of warnings-ng plugin:

00:02:12.752  [OWASP Dependency Check] [-ERROR-] Can't create fingerprints for some files:
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'ant-antlr-1.9.15.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'ant-antlr-1.9.15.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'ant-junit-1.9.15.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'ant-junit-1.9.15.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-common:2.6.0)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-core:2.6.0)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-osgi:2.6.0)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-sftp:2.6.0)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'cli-2.332.2.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'commons-discovery-0.5.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'commons-httpclient-3.1-jenkins-3.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'commons-jelly-tags-fmt-1.0.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'commons-jelly-tags-fmt-1.0.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'fluent-hc-4.5.3.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-]   ... skipped logging of 39 additional errors ...

I checked the json file created by the owasp gradle plugin. First I thought the reason is the backslash in front of each file path separator:

"filePath": "\/var\/lib\/jenkins\/.gradle\/caches\/modules-2\/files-2.1\/com.googlecode.javaewah\/JavaEWAH\/0.7.9\/eceaf316a8faf0e794296ebe158ae110c7d72a5a\/JavaEWAH-0.7.9.jar"

then I corrected the leading backslash by this in my pipeline:

def owaspJsonFile = readJSON file: "${env.STR_WORKSPACE}/build/reports/dependencyCheck/dependency-check-report.json"
owaspJsonFile.dependencies.each {
   echo "filePath = " + it.filePath
}
writeJSON file: "${env.STR_WORKSPACE}/build/reports/dependencyCheck/dependency-check-report.new.json", json: owaspJsonFile

now it looks like this:

"filePath":"/var/lib/jenkins/.gradle/caches/modules-2/files-2.1/com.googlecode.javaewah/JavaEWAH/0.7.9/eceaf316a8faf0e794296ebe158ae110c7d72a5a/JavaEWAH-0.7.9.jar"

but still the same error.
The only guess of root cause is shaded jar files, e.g.:

 "fileName":"cli-2.332.2.jar (shaded: com.sun.activation:jakarta.activation:2.0.1)","filePath":"/var/lib/jenkins/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/cli/2.332.2/c7e4e582f40baa64ca87d7f96e70b3b8fcba59d1/cli-2.332.2.jar/META-INF/maven/com.sun.activation/jakarta.activation/pom.xml"

Does OWASP parser support shaded jar files?

The only workaround is, ignoring the error by settings:

failOnError: false

relates to

JENKINS-72054 Make post-processing of issues optional

Resolved

links to

PR #1003

R. Fitzner created issue - 2022-05-05 13:24

R. Fitzner made changes - 2022-05-05 13:26

Description

Original: I am getting the following error(s) by using the OWASP scanner of warnings-ng plugin:
{code:bash}
00:02:12.752 [OWASP Dependency Check] [-ERROR-] Can't create fingerprints for some files:
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'ant-antlr-1.9.15.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'ant-antlr-1.9.15.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'ant-junit-1.9.15.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'ant-junit-1.9.15.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-common:2.6.0)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-core:2.6.0)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-osgi:2.6.0)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-sftp:2.6.0)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'cli-2.332.2.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'commons-discovery-0.5.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'commons-httpclient-3.1-jenkins-3.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'commons-jelly-tags-fmt-1.0.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'commons-jelly-tags-fmt-1.0.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'fluent-hc-4.5.3.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] ... skipped logging of 39 additional errors ...
{code}
I checked the json file created by the owasp gradle plugin. First I thought the reason is the backslash in front of each file path separator:
{code:java}
"filePath": "\/var\/lib\/jenkins\/.gradle\/caches\/modules-2\/files-2.1\/com.googlecode.javaewah\/JavaEWAH\/0.7.9\/eceaf316a8faf0e794296ebe158ae110c7d72a5a\/JavaEWAH-0.7.9.jar"
{code}
then I corrected the leading backslash by this in my pipeline:
{code:java}
def owaspJsonFile = readJSON file: "${env.STR_WORKSPACE}/build/reports/dependencyCheck/dependency-check-report.json"
                  owaspJsonFile.dependencies.each {
                     echo "filePath = " + it.filePath
                  }
                  writeJSON file: "${env.STR_WORKSPACE}/build/reports/dependencyCheck/dependency-check-report.new.json", json: owaspJsonFile
{code}
now it looks like this:
{code:java}
"filePath":"/var/lib/jenkins/.gradle/caches/modules-2/files-2.1/com.googlecode.javaewah/JavaEWAH/0.7.9/eceaf316a8faf0e794296ebe158ae110c7d72a5a/JavaEWAH-0.7.9.jar"
{code}
but still the same error.
The only guess of root cause is *shaded* jar files, e.g.:
{code:java}
"fileName":"cli-2.332.2.jar (shaded: com.sun.activation:jakarta.activation:2.0.1)","filePath":"/var/lib/jenkins/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/cli/2.332.2/c7e4e582f40baa64ca87d7f96e70b3b8fcba59d1/cli-2.332.2.jar/META-INF/maven/com.sun.activation/jakarta.activation/pom.xml"
{code}
Does OWASP parser support shaded jar files?

The only workaround is, ignoring the error by settings:
{code:java}
failOnError: false
{code}

New: I am getting the following error(s) by using the OWASP scanner of warnings-ng plugin:
{code:bash}
00:02:12.752 [OWASP Dependency Check] [-ERROR-] Can't create fingerprints for some files:
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'ant-antlr-1.9.15.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'ant-antlr-1.9.15.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'ant-junit-1.9.15.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'ant-junit-1.9.15.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-common:2.6.0)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-core:2.6.0)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-osgi:2.6.0)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-sftp:2.6.0)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'cli-2.332.2.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'commons-discovery-0.5.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'commons-httpclient-3.1-jenkins-3.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'commons-jelly-tags-fmt-1.0.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'commons-jelly-tags-fmt-1.0.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'fluent-hc-4.5.3.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] ... skipped logging of 39 additional errors ...
{code}
I checked the json file created by the owasp gradle plugin. First I thought the reason is the backslash in front of each file path separator:
{code:java}
"filePath": "\/var\/lib\/jenkins\/.gradle\/caches\/modules-2\/files-2.1\/com.googlecode.javaewah\/JavaEWAH\/0.7.9\/eceaf316a8faf0e794296ebe158ae110c7d72a5a\/JavaEWAH-0.7.9.jar"
{code}
then I corrected the leading backslash by this in my pipeline:
{code:java}
def owaspJsonFile = readJSON file: "${env.STR_WORKSPACE}/build/reports/dependencyCheck/dependency-check-report.json"
owaspJsonFile.dependencies.each {
echo "filePath = " + it.filePath
}
writeJSON file: "${env.STR_WORKSPACE}/build/reports/dependencyCheck/dependency-check-report.new.json", json: owaspJsonFile
{code}
now it looks like this:
{code:java}
"filePath":"/var/lib/jenkins/.gradle/caches/modules-2/files-2.1/com.googlecode.javaewah/JavaEWAH/0.7.9/eceaf316a8faf0e794296ebe158ae110c7d72a5a/JavaEWAH-0.7.9.jar"
{code}
but still the same error.
The only guess of root cause is *shaded* jar files, e.g.:
{code:java}
"fileName":"cli-2.332.2.jar (shaded: com.sun.activation:jakarta.activation:2.0.1)","filePath":"/var/lib/jenkins/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/cli/2.332.2/c7e4e582f40baa64ca87d7f96e70b3b8fcba59d1/cli-2.332.2.jar/META-INF/maven/com.sun.activation/jakarta.activation/pom.xml"
{code}
Does OWASP parser support shaded jar files?

The only workaround is, ignoring the error by settings:
{code:java}
failOnError: false
{code}

Ulli Hafner added a comment - 2022-05-05 18:44

Typically, warnings are tracked in source code files from build to build. Since the affected files of the OWASP parser are binary files this tracking does not make sense. It would be helpful if we can omit the tracking if the file is binary (or if the line number has not been set).

Ulli Hafner added a comment - 2022-05-05 18:44 Typically, warnings are tracked in source code files from build to build. Since the affected files of the OWASP parser are binary files this tracking does not make sense. It would be helpful if we can omit the tracking if the file is binary (or if the line number has not been set).

Ulli Hafner made changes - 2022-05-05 18:44

Component/s		New: analysis-model [ 23523 ]
Component/s	Original: warnings-ng-plugin [ 24526 ]

Ulli Hafner made changes - 2022-05-05 18:44

Issue Type

Original: Bug [ 1 ]

New: Improvement [ 4 ]

Ulli Hafner made changes - 2022-05-05 18:46

Summary

Original: [OWASP Dependency Check] [-ERROR-] Can't create fingerprints for some files

New: Add option to suppress finger printing of affected files for specific issues

Ulli Hafner made changes - 2022-05-05 18:47

Summary

Original: Add option to suppress finger printing of affected files for specific issues

New: Add option to suppress fingerprinting of affected files for specific issues

Ulli Hafner made changes - 2022-09-27 16:58

Labels

New: hacktoberfest help-wanted newbie-friendly ux

Ulli Hafner made changes - 2022-09-27 16:58

Assignee

Original: Ulli Hafner [ drulli ]

Ulli Hafner made changes - 2023-09-22 09:02

Link

New: This issue relates to ~~JENKINS-72054~~ [ ~~JENKINS-72054~~ ]

Assignee:: Ulli Hafner

Reporter:: R. Fitzner

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2022-05-05 13:24

Updated:: 2024-02-28 13:57

Resolved:: 2024-02-28 13:57

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Ulli Hafner added a comment - 2022-05-05 18:44

Expand comment: Ulli Hafner added a comment - 2022-05-05 18:44

People

Dates