DependencyCheck: I'm suddenly getting TransportException on OSS Index Analyzer

Version: 8.1.2

[ERROR] 	AnalysisException: Failed to request component-reports
[ERROR] 		caused by TransportException: Unexpected response; status: 503
...
[ERROR] 	AnalysisException: Failed to request component-reports
[ERROR] 		caused by TransportException: Unexpected response; status: 503

exceptions:

org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.owasp:dependency-check-maven:8.1.2:check (default) on project *: One or more exceptions occurred during dependency-check analysis
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:347)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:330)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:213)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:175)
    at org.apache.maven.lifecycle.internal.MojoExecutor.access$000 (MojoExecutor.java:76)
    at org.apache.maven.lifecycle.internal.MojoExecutor$1.run (MojoExecutor.java:163)
    at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute (DefaultMojosExecutionStrategy.java:39)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:160)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:105)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:73)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:53)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:118)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:260)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:172)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:100)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:821)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:270)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:77)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:568)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: org.apache.maven.plugin.MojoExecutionException: One or more exceptions occurred during dependency-check analysis
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1951)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:1102)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:126)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:342)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:330)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:213)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:175)
    at org.apache.maven.lifecycle.internal.MojoExecutor.access$000 (MojoExecutor.java:76)
    at org.apache.maven.lifecycle.internal.MojoExecutor$1.run (MojoExecutor.java:163)
    at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute (DefaultMojosExecutionStrategy.java:39)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:160)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:105)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:73)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:53)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:118)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:260)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:172)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:100)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:821)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:270)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:77)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:568)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions occurred during analysis:
	AnalysisException: Failed to request component-reports
		caused by TransportException: Unexpected response; status: 503
	AnalysisException: Failed to request component-reports
		caused by TransportException: Unexpected response; status: 503
	AnalysisException: Failed to request component-reports
		caused by TransportException: Unexpected response; status: 503
	AnalysisException: Failed to request component-reports
		caused by TransportException: Unexpected response; status: 503
	AnalysisException: Failed to request component-reports
		caused by TransportException: Unexpected response; status: 503
	AnalysisException: Failed to request component-reports
		caused by TransportException: Unexpected response; status: 503
	AnalysisException: Failed to request component-reports
		caused by TransportException: Unexpected response; status: 503
	AnalysisException: Failed to request component-reports
		caused by TransportException: Unexpected response; status: 503
    at org.owasp.dependencycheck.Engine.analyzeDependencies (Engine.java:687)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1919)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:1102)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:126)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:342)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:330)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:213)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:175)
    at org.apache.maven.lifecycle.internal.MojoExecutor.access$000 (MojoExecutor.java:76)
    at org.apache.maven.lifecycle.internal.MojoExecutor$1.run (MojoExecutor.java:163)
    at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute (DefaultMojosExecutionStrategy.java:39)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:160)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:105)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:73)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:53)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:118)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:260)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:172)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:100)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:821)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:270)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:77)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:568)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)

About this issue

Original URL
State: open
Created a year ago
Reactions: 23
Comments: 30 (4 by maintainers)

Most upvoted comments

It’s down again 😦

+14

Hoaas on Mar 21, 2023

https://ossindex.sonatype.org/ is up again.

+12

robtimus on Mar 17, 2023

It looks like Sonatype OSS Index is down: https://ossindex.sonatype.org/ 503 Service Temporarily Unavailable

chadlwilson on Mar 17, 2023

As a workaround, it helps to use this property in order to turn the error into a warning:

<ossIndexWarnOnlyOnRemoteErrors>true</ossIndexWarnOnlyOnRemoteErrors>

propertius on Mar 17, 2023

https://ossindex.sonatype.org/ is up again.

m-ibot on Mar 21, 2023

I hit this too. The error message wasn’t all that clear to me at first. Maybe it could be improved a bit by including that URL?

Jurrie on Mar 17, 2023

Shouldn’t the use of the OSS Index Analyzer simply be disabled by default and require everyone to explicitly opt-in to use it now? Their site contains the following notice:

Starting April 24, 2023, unregistered users will be limited to 40 requests per month on OSS Index. We encourage you to
create an account and authenticate with OSS Index to increase your usage limits. Authenticated users may have access to
additional features and higher usage limits.

Limiting unregistered users to 40 requests per month seems incredibly low and untenable for automated CI pipelines. Additionally, from what I can see, they do not clearly state how many requests are allowed even if you register an account, which makes it especially difficult to even estimate whether you can rely on the service in the first place.

norrisjeremy on Jun 20, 2023

I’m using a registered user and I’m having the same issue, so it seems something else is happening.

giacgbj on Jun 5, 2023

Started to fail again with 502 today:

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:8.3.1:check (default-cli) on project rcs: One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during analysis:
[ERROR] 	AnalysisException: Failed to request component-reports
[ERROR] 		caused by SocketTimeoutException: Read timed out
[ERROR] 	AnalysisException: Failed to request component-reports
[ERROR] 		caused by SocketTimeoutException: Read timed out
[ERROR] 	AnalysisException: Failed to request component-reports
[ERROR] 		caused by TransportException: Unexpected response; status: 502
[ERROR] 	AnalysisException: Failed to request component-reports
[ERROR] 		caused by SocketTimeoutException: Read timed out
[ERROR] -> [Help 1]

This is a bit annoying to have this repeating issue every now and then.

dmitry-weirdo on Jun 20, 2023

@karthickram286 I tested the same in maven and it doesn’t work either 😕

viniciusxyz on Mar 21, 2023

OSS Index does not support sending bulk requests? We noticed that the queries there seem to go separately for each library. Is there any way to optimize this?

EugRomanchenko on Mar 17, 2023

Any plans to fix this? Is it reported to Sonatype?

dmitry-weirdo on Mar 17, 2023

And ref the comment above: Pass --ossIndexRemoteErrorWarnOnly true if using the CLI https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html

Sti2nd on Mar 17, 2023

https://status.maven.org/ reports all is up, so it doesn’t seem that this server is monitored correctly. I’ve created https://issues.sonatype.org/browse/MVNCENTRAL-7940, so the Sonatype team should now be aware of the issue.

robtimus on Mar 17, 2023