DependencyCheck: Bug in Maven Central Analyzer
I’m not positive yet if this is an issue on my end or if it’s a legitimate problem, the Maven Central analyzer has been throwing errors, it’s getting a 400 back from Maven Central. I piped the results through Fiddler to take a look at what’s going on, if I put the URL into Chrome it works, so I realized that the difference is that Chrome is URL encoding the quotation marks.
https://search.maven.org/solrsearch/select?q=1:"<sha1>"&wt=xml is what Dependency Check is trying to use.
https://search.maven.org/solrsearch/select?q=1:%22<sha1>%22&wt=xml works.
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Reactions: 9
- Comments: 58 (10 by maintainers)
Commits related to this issue
- URL encoding double quotes passed in to Maven Central search API #978 — committed to jeremylong/DependencyCheck by stevespringett 7 years ago
- externalized central search query so future changes can be handled via a properties change - issue #978 — committed to jeremylong/DependencyCheck by jeremylong 7 years ago
- Upgrade owasp dependency checker in order to solve https://github.com/jeremylong/DependencyCheck/issues/978 — committed to eurodyn/Qlack2 by tolsam 7 years ago
- Fixes issue with accessing the Central relates to https://github.com/jeremylong/DependencyCheck/issues/978 — committed to apache/struts by lukaszlenart 7 years ago
- fix(pom): Running "mvn site" results in error with message "Could not connect to Central search" Applied the fix described here: https://github.com/jeremylong/DependencyCheck/issues/978 #8 — committed to joquijada/maven-code-quality-pom by deleted user 7 years ago
- fix(pom): Running "mvn site" results in error with message "Could not connect to Central search" (#9) Applied the fix described here: https://github.com/jeremylong/DependencyCheck/issues/978 #8 — committed to gregswindle/maven-code-quality-pom by joquijada 7 years ago
- build(mvnw): add Maven wrapper for build consistency (#11) * chore(package): update dependencies * docs(readme): add Greenkeeper badge * docs(readme): add greenkeeper badge Closes #1 * do... — committed to gregswindle/maven-code-quality-pom by gregswindle 7 years ago
- style(java): add source code formatter (#14) * chore(license): might need to evaluate a LGLPL license. * chore(package): update dependencies * docs(readme): add Greenkeeper badge * docs(read... — committed to gregswindle/maven-code-quality-pom by gregswindle 7 years ago
3.0.2 has been mostly released - gradle, maven, ant, and CLI have been published - it just takes time to cycle through Central.
Jenkinsandbrewwill be released hopefully later today… Sorry for the inconvenience - but this project isn’t corporate sponsored and I do not believe any of the core contributors work on dependency-check as part of their day job.I’m still getting the [ERROR] Could not connect to Central search. Analysis failed. intermittently. I’m using version 3.1.2 (latest version as of the moment) and sometimes it works, sometimes not. I’m not changing anything in my config and still getting the error randomly.
Has anyone experienced this? Is disabling centralAnalyzer the only option I have? Thanks.
This is affecting my organization as well. The workaround I found was to disable the Maven Central Analyzer in the global Manage Jenkins Configuration under OWASP Dependency-Check – Dependency-Check: Standard Analyzers and Dependency-Report: Standard Analyzers. (Many of our builds are using the Jenkins OWASP plugin instead of Maven’s.)
Jenkins plugin has been pushed as well. It usually takes a half-day for it to show up in the update site, but it can be downloaded directly for those wanting to get it earlier.
https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/dependency-check-jenkins-plugin/3.0.2/
https://github.com/jeremylong/DependencyCheck/releases shows that 3.0.2 isn’t released yet, do you have an estimate when this will happen?
The version with the Maven and Gradle plugins disabling the central analyzer by default have not been published yet. Hopefully this weekend.
@1605200517 Consider disabling the central analyzer for the integration into a Maven build. Very little is gained from using the Central analyzer when using the Maven or Gradle plugin.
I’m desperately waiting for a release, too.
No - the maven plugin is one of the best ways to run dependency-check. However, within dependency-check there is a centralAnalyzer that can add a lot to the execution time and provide little to no benefit (it does add benefit to the ant, command line, and Jenkins executions though).
We are working on a replacement/change for the central analyzer. I would highly recommend just disabling it if you are using the Maven or Gradle plugins as you get very little benefit in using it.
@dannil still hasn’t failed after adding the -X switch, I will comment back here when it happens.
Hi @dannil, it does seem like a temporary network issue (don’t know whether on our end or the Maven Central side). I tried again a few minutes later and it worked fine. But I have noticed this issue several times before and it is a bit of a problem for us as we need reliable builds.
@THausherr great question - the obvious answer is Central has been updated. I know that there have been some issues with the Central Analyzer and I’m trying to come up with alternatives.
@born2snipe in terms of the next release - the team has not discussed a planned next release yet. I will try and cycle through the current list of FP and then cut the next release. Given my schedule I think that will happen next weekend (by Nov 19th).