Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dependency-check-maven 9.0.4 cannot fetch our suppressions XML #6283

Closed
gbrinkmann opened this issue Dec 12, 2023 · 2 comments
Closed

dependency-check-maven 9.0.4 cannot fetch our suppressions XML #6283

gbrinkmann opened this issue Dec 12, 2023 · 2 comments
Labels
bug

Comments

@gbrinkmann
Copy link

gbrinkmann commented Dec 12, 2023
edited
Loading

Describe the bug

dependency-check-maven 9.0.4 cannot fetch our suppressions XML

Log with mvn -X (the <url to our xml in our bitbucket> is the raw bitbucket file URL like in .../dependency-check-maven/raw/dependency-excludes.xml)

...
[DEBUG] Loading suppression rules from 'https://<url to our xml in our bitbucket>'
[DEBUG] Attempting retrieval of https://<url to our xml in our bitbucket>
[DEBUG] Available Protocols:
[DEBUG] SSLv2Hello
[DEBUG] SSLv3
[DEBUG] TLSv1
[DEBUG] TLSv1.1
[DEBUG] TLSv1.2
[DEBUG] TLSv1.3
[DEBUG] Attempting retrieval of https://<url to our xml in our bitbucket>
[WARNING] Unable to fetch the configured suppression file 'https://<url to our xml in our bitbucket>'
[DEBUG]
org.owasp.dependencycheck.utils.DownloadFailedException: Download failed, unable to copy 'https://<url to our xml in our bitbucket>' to 'C:\TEMP\dctempeb0ca8be-9fbe-49fa-b153-75e835aa350a\suppression942f87d8-db46-441c-90ae-e3885e0db92a.xml'; Error downloading file https://<url to our xml in our bitbucket>; unable to connect.
    at org.owasp.dependencycheck.utils.Downloader.fetchFile (Downloader.java:136)
...
Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Error downloading file https://<url to our xml in our bitbucket>; unable to connect.
    at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection (HttpResourceConnection.java:267)
...
Caused by: java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 503 Service Unavailable"
    at sun.net.www.protocol.http.HttpURLConnection.doTunneling0 (HttpURLConnection.java:2271)
    at sun.net.www.protocol.http.HttpURLConnection.doTunneling (HttpURLConnection.java:2143)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect (AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect (HttpsURLConnectionImpl.java:141)
    at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection (HttpResourceConnection.java:206)
...

Notes:

Version of dependency-check used
dependency-check-maven 9.0.4

Log file
see above

To Reproduce

n/a

Expected behavior
Successful usage of our suppressions XML.

Additional context

n/a
@gbrinkmann gbrinkmann added the bug label Dec 12, 2023
weyhmueller added a commit to weyhmueller/DependencyCheck that referenced this issue Dec 12, 2023
@weyhmueller
fix: set correct property for nonProxyHosts
710ee5a 
While there are different system properties for http and https proxies, there is only one shared property for proxy exclusions: http.nonProxyHosts

Setting https.nonProxyHosts has no effect on any recent JDK

Fixes jeremylong#6283
@weyhmueller weyhmueller mentioned this issue Dec 12, 2023
Merged
@jeremylong
Copy link
Owner

This should hopefully be fixed wiith 9.0.5 - which should be released in a day or two.

@gbrinkmann
Copy link
Author

Test feedback: it works

...
[INFO] --- dependency-check:9.0.5:aggregate (default) @ myproject ---
...
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
...
[INFO] Suppression Rule had zero matches: (some of these log messages)
...
[INFO] BUILD SUCCESS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeremylong @gbrinkmann