[JENKINS-68415] Add option to suppress fingerprinting of affected files for specific issues

Type: Improvement
Resolution: Fixed
Priority: Minor
Component/s: analysis-model
Labels:
Environment:
Jenkins 2.332.2
warnings-ng 9.11.1
gradle 7.4.2
OWASP dependency-check-gradle plugin 7.1.0.1

Similar Issues:
Powered by SuggestiMate

Show
Released As:
https://github.com/jenkinsci/warnings-ng-plugin/releases/tag/v11.0.0

I am getting the following error(s) by using the OWASP scanner of warnings-ng plugin:

00:02:12.752  [OWASP Dependency Check] [-ERROR-] Can't create fingerprints for some files:
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'ant-antlr-1.9.15.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'ant-antlr-1.9.15.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'ant-junit-1.9.15.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'ant-junit-1.9.15.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-common:2.6.0)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-core:2.6.0)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-osgi:2.6.0)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-sftp:2.6.0)' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'cli-2.332.2.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'commons-discovery-0.5.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'commons-httpclient-3.1-jenkins-3.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'commons-jelly-tags-fmt-1.0.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'commons-jelly-tags-fmt-1.0.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-] - 'fluent-hc-4.5.3.jar' file not found
00:02:12.752  [OWASP Dependency Check] [-ERROR-]   ... skipped logging of 39 additional errors ...

I checked the json file created by the owasp gradle plugin. First I thought the reason is the backslash in front of each file path separator:

"filePath": "\/var\/lib\/jenkins\/.gradle\/caches\/modules-2\/files-2.1\/com.googlecode.javaewah\/JavaEWAH\/0.7.9\/eceaf316a8faf0e794296ebe158ae110c7d72a5a\/JavaEWAH-0.7.9.jar"

then I corrected the leading backslash by this in my pipeline:

def owaspJsonFile = readJSON file: "${env.STR_WORKSPACE}/build/reports/dependencyCheck/dependency-check-report.json"
owaspJsonFile.dependencies.each {
   echo "filePath = " + it.filePath
}
writeJSON file: "${env.STR_WORKSPACE}/build/reports/dependencyCheck/dependency-check-report.new.json", json: owaspJsonFile

now it looks like this:

"filePath":"/var/lib/jenkins/.gradle/caches/modules-2/files-2.1/com.googlecode.javaewah/JavaEWAH/0.7.9/eceaf316a8faf0e794296ebe158ae110c7d72a5a/JavaEWAH-0.7.9.jar"

but still the same error.
The only guess of root cause is shaded jar files, e.g.:

 "fileName":"cli-2.332.2.jar (shaded: com.sun.activation:jakarta.activation:2.0.1)","filePath":"/var/lib/jenkins/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/cli/2.332.2/c7e4e582f40baa64ca87d7f96e70b3b8fcba59d1/cli-2.332.2.jar/META-INF/maven/com.sun.activation/jakarta.activation/pom.xml"

Does OWASP parser support shaded jar files?

The only workaround is, ignoring the error by settings:

failOnError: false

relates to

JENKINS-72054 Make post-processing of issues optional

Resolved

links to

PR #1003

R. Fitzner created issue - 2022-05-05 13:24

R. Fitzner made changes - 2022-05-05 13:26

Description

Original: I am getting the following error(s) by using the OWASP scanner of warnings-ng plugin:
{code:bash}
00:02:12.752 [OWASP Dependency Check] [-ERROR-] Can't create fingerprints for some files:
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'ant-antlr-1.9.15.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'ant-antlr-1.9.15.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'ant-junit-1.9.15.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'ant-junit-1.9.15.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-common:2.6.0)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-core:2.6.0)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-osgi:2.6.0)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-sftp:2.6.0)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'cli-2.332.2.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'commons-discovery-0.5.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'commons-httpclient-3.1-jenkins-3.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'commons-jelly-tags-fmt-1.0.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'commons-jelly-tags-fmt-1.0.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'fluent-hc-4.5.3.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] ... skipped logging of 39 additional errors ...
{code}
I checked the json file created by the owasp gradle plugin. First I thought the reason is the backslash in front of each file path separator:
{code:java}
"filePath": "\/var\/lib\/jenkins\/.gradle\/caches\/modules-2\/files-2.1\/com.googlecode.javaewah\/JavaEWAH\/0.7.9\/eceaf316a8faf0e794296ebe158ae110c7d72a5a\/JavaEWAH-0.7.9.jar"
{code}
then I corrected the leading backslash by this in my pipeline:
{code:java}
def owaspJsonFile = readJSON file: "${env.STR_WORKSPACE}/build/reports/dependencyCheck/dependency-check-report.json"
                  owaspJsonFile.dependencies.each {
                     echo "filePath = " + it.filePath
                  }
                  writeJSON file: "${env.STR_WORKSPACE}/build/reports/dependencyCheck/dependency-check-report.new.json", json: owaspJsonFile
{code}
now it looks like this:
{code:java}
"filePath":"/var/lib/jenkins/.gradle/caches/modules-2/files-2.1/com.googlecode.javaewah/JavaEWAH/0.7.9/eceaf316a8faf0e794296ebe158ae110c7d72a5a/JavaEWAH-0.7.9.jar"
{code}
but still the same error.
The only guess of root cause is *shaded* jar files, e.g.:
{code:java}
"fileName":"cli-2.332.2.jar (shaded: com.sun.activation:jakarta.activation:2.0.1)","filePath":"/var/lib/jenkins/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/cli/2.332.2/c7e4e582f40baa64ca87d7f96e70b3b8fcba59d1/cli-2.332.2.jar/META-INF/maven/com.sun.activation/jakarta.activation/pom.xml"
{code}
Does OWASP parser support shaded jar files?

The only workaround is, ignoring the error by settings:
{code:java}
failOnError: false
{code}

New: I am getting the following error(s) by using the OWASP scanner of warnings-ng plugin:
{code:bash}
00:02:12.752 [OWASP Dependency Check] [-ERROR-] Can't create fingerprints for some files:
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'ant-antlr-1.9.15.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'ant-antlr-1.9.15.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'ant-junit-1.9.15.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'ant-junit-1.9.15.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: com.jcraft:jsch.agentproxy.usocket-nc:0.0.9)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-common:2.6.0)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-core:2.6.0)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-osgi:2.6.0)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'axion-release-plugin-1.13.6.jar (shaded: org.apache.sshd:sshd-sftp:2.6.0)' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'cli-2.332.2.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'commons-discovery-0.5.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'commons-httpclient-3.1-jenkins-3.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'commons-jelly-tags-fmt-1.0.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'commons-jelly-tags-fmt-1.0.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] - 'fluent-hc-4.5.3.jar' file not found
00:02:12.752 [OWASP Dependency Check] [-ERROR-] ... skipped logging of 39 additional errors ...
{code}
I checked the json file created by the owasp gradle plugin. First I thought the reason is the backslash in front of each file path separator:
{code:java}
"filePath": "\/var\/lib\/jenkins\/.gradle\/caches\/modules-2\/files-2.1\/com.googlecode.javaewah\/JavaEWAH\/0.7.9\/eceaf316a8faf0e794296ebe158ae110c7d72a5a\/JavaEWAH-0.7.9.jar"
{code}
then I corrected the leading backslash by this in my pipeline:
{code:java}
def owaspJsonFile = readJSON file: "${env.STR_WORKSPACE}/build/reports/dependencyCheck/dependency-check-report.json"
owaspJsonFile.dependencies.each {
echo "filePath = " + it.filePath
}
writeJSON file: "${env.STR_WORKSPACE}/build/reports/dependencyCheck/dependency-check-report.new.json", json: owaspJsonFile
{code}
now it looks like this:
{code:java}
"filePath":"/var/lib/jenkins/.gradle/caches/modules-2/files-2.1/com.googlecode.javaewah/JavaEWAH/0.7.9/eceaf316a8faf0e794296ebe158ae110c7d72a5a/JavaEWAH-0.7.9.jar"
{code}
but still the same error.
The only guess of root cause is *shaded* jar files, e.g.:
{code:java}
"fileName":"cli-2.332.2.jar (shaded: com.sun.activation:jakarta.activation:2.0.1)","filePath":"/var/lib/jenkins/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/cli/2.332.2/c7e4e582f40baa64ca87d7f96e70b3b8fcba59d1/cli-2.332.2.jar/META-INF/maven/com.sun.activation/jakarta.activation/pom.xml"
{code}
Does OWASP parser support shaded jar files?

The only workaround is, ignoring the error by settings:
{code:java}
failOnError: false
{code}

Ulli Hafner made changes - 2022-05-05 18:44

Component/s		New: analysis-model [ 23523 ]
Component/s	Original: warnings-ng-plugin [ 24526 ]

Ulli Hafner made changes - 2022-05-05 18:44

Issue Type

Original: Bug [ 1 ]

New: Improvement [ 4 ]

Ulli Hafner made changes - 2022-05-05 18:46

Summary

Original: [OWASP Dependency Check] [-ERROR-] Can't create fingerprints for some files

New: Add option to suppress finger printing of affected files for specific issues

Ulli Hafner made changes - 2022-05-05 18:47

Summary

Original: Add option to suppress finger printing of affected files for specific issues

New: Add option to suppress fingerprinting of affected files for specific issues

Ulli Hafner made changes - 2022-09-27 16:58

Labels

New: hacktoberfest help-wanted newbie-friendly ux

Ulli Hafner made changes - 2022-09-27 16:58

Assignee

Original: Ulli Hafner [ drulli ]

Ulli Hafner made changes - 2023-09-22 09:02

Link

New: This issue relates to ~~JENKINS-72054~~ [ ~~JENKINS-72054~~ ]

Ulli Hafner made changes - 2023-09-22 09:07

Labels

Original: hacktoberfest help-wanted newbie-friendly ux

New: hacktoberfest help-wanted newbie-friendly

Ulli Hafner made changes - 2024-01-12 13:54

Assignee

New: Ulli Hafner [ drulli ]

Assignee:: Ulli Hafner

Reporter:: R. Fitzner

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2022-05-05 13:24

Updated:: 2024-02-28 13:57

Resolved:: 2024-02-28 13:57

Jenkins

Details

Description

Attachments

Issue Links

Activity

People

Dates