DependencyCheck: Multiple "AnalysisException: OSS Index rate limit exceeded" errors on plugin execution

Starting today (25.05.2022), multiple errors started to fail on each execution. No plugin version changed (was and remains the 7.1.0 version).

Error examples (an error is failing for each of the dependencies):

[WARNING] An error occurred while analyzing '/tmp/dctemp2224d3d1-bfef-48de-b1f5-0e97d0983265/check9478530389331146964tmp/208/META-INF/resources/webjars/shepherd.js/8.2.3/.jsdoc.js' (Sonatype OSS Index Analyzer).

[ERROR] 	AnalysisException: OSS Index rate limit exceeded
[ERROR] 		caused by TransportException: Unexpected response; status: 429

There are actually the NPEs that are probably the root cause:

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project ins-app: One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during analysis:
[ERROR] 	AnalysisException: Failed to request component-reports
[ERROR] 		caused by NullPointerException: Cannot invoke "org.sonatype.goodies.packageurl.PackageUrl.toString()" because "coordinates" is null
[ERROR] 	AnalysisException: Failed to request component-reports
[ERROR] 		caused by NullPointerException: Cannot invoke "org.sonatype.goodies.packageurl.PackageUrl.toString()" because "coordinates" is null
[ERROR] 	AnalysisException: Failed to request component-reports
[ERROR] 		caused by NullPointerException: Cannot invoke "org.sonatype.goodies.packageurl.PackageUrl.toString()" because "coordinates" is null
[ERROR] 	AnalysisException: Failed to request component-reports
[ERROR] 		caused by NullPointerException: Cannot invoke "org.sonatype.goodies.packageurl.PackageUrl.toString()" because "coordinates" is null
[ERROR] 	AnalysisException: Failed to request component-reports

etc.

About this issue

  • Original URL
  • State: open
  • Created 2 years ago
  • Reactions: 46
  • Comments: 59 (5 by maintainers)

Commits related to this issue

Most upvoted comments

If anyone comes here because their pipeline in azure devops is failing, just follow these two steps:

additionalArguments: | –ossIndexUsername YOUREMAIL --ossIndexPassword YOURPASS

+6
rvgiesen on May 25, 2022

@ankurga The NVD database was updated, see e.g. https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-1132080062 - you have to suppress it by yourself.

+6
danielbraeutigam on May 25, 2022

Happening for me as well. Also, all the plugin versions have started giving false positives for multiple jar files:

spring-boot-2.6.8.jar (pkg:maven/org.springframework.boot/spring-boot@2.6.8, cpe:2.3:a:vmware:spring_boot:2.6.8:*:*:*:*:*:*:*, cpe:2.3:a:vmware:spring_framework:2.6.8:*:*:*:*:*:*:*) : CVE-2013-4152, CVE-2013-7315, CVE-2014-0054, CVE-2016-1000027, CVE-2022-22965, CVE-2022-22968
spring-core-5.3.20.jar (pkg:maven/org.springframework/spring-core@5.3.20, cpe:2.3:a:pivotal_software:spring_framework:5.3.20:*:*:*:*:*:*:*, cpe:2.3:a:springsource:spring_framework:5.3.20:*:*:*:*:*:*:*, cpe:2.3:a:vmware:spring_framework:5.3.20:*:*:*:*:*:*:*, cpe:2.3:a:vmware:springsource_spring_framework:5.3.20:*:*:*:*:*:*:*) : CVE-2016-1000027

This has now blocked all our maven builds. Can we please have a solution to this?

+6
ankurga on May 25, 2022

I wouldn’t recommend disabling the oss indexer though, we are currently getting four failures with the indexer enabled, but none with it disabled. I would instead recommend registering with oss index and setting a username and password / api key.

How to accomplish this with maven? (which properties to set / provide)

cheers flash ⚡

got it working. Provide ossIndexServerId with a value to the id in the settings.xml file

e.g. -DossIndexServerId=owasp-oss-index

and in your settings.xml

<settings>
  <servers>
    <server>
      <id>owasp-oss-index</id>
      <username>foo</username>
      <password>bla</password>
    </server>
  </servers>
</settings>

More info: https://jeremylong.github.io/DependencyCheck/dependency-check-maven/aggregate-mojo.html#ossIndexServerId

@petergphillips can confirm, that with a registered user account it works Thanks for the hints!

And yes, it seems like the rate limit to 128 modules per request is new

cheers flash ⚡

+3
flash-me on May 25, 2022

I wouldn’t recommend disabling the oss indexer though, we are currently getting four failures with the indexer enabled, but none with it disabled. I would instead recommend registering with oss index and setting a username and password / api key.

How to accomplish this with maven? (which properties to set / provide)

cheers flash ⚡

+3
flash-me on May 25, 2022

Is it possible to disable it? Or use a local nexus server instead? It really slows down the scan process.

Yes you can disable the analyzer using <ossindexAnalyzerEnabled >false</ossindexAnalyzerEnabled>

+3
lzuyderhoff on May 25, 2022

Same for me. Problem solved. Thanks.

+2
lzuyderhoff on May 25, 2022

We too have this issue since today. Registring with ossindex.sonatype.org and using that username/password with command line options --ossIndexUsername and --ossIndexPassword solved the issue.

+2
echalone on May 25, 2022

I wouldn’t recommend disabling the oss indexer though, we are currently getting four failures with the indexer enabled, but none with it disabled. I would instead recommend registering with oss index and setting a username and password / api key.

Looks like currently you cannot register on ossindex.sonatype getting a 500 error

registering works; you should receive an email with a confirmation link …

+2
NorthernKgalagadi on May 25, 2022

@danielbraeutigam @ankurga : The problem you are discussing is not related to the issue reported so lets take it separately. As of now all projects using owasp-dependency-check plugin with version 6.X.X and 7.1.0 don’t build. Something has recently changed at SONATYPE. I can reproduce the same locally as well on our CI platforms.

[ERROR] 	AnalysisException: Failed to request component-reports
[ERROR] 		caused by NullPointerException: null
[ERROR] 	AnalysisException: OSS Index rate limit exceeded
[ERROR] 		caused by TransportException: Unexpected response; status: 429

On debug we see:

[DEBUG] Connecting to: https://ossindex.sonatype.org/api/v3/component-report
[DEBUG] Error requesting component reports
java.lang.NullPointerException
    at org.sonatype.ossindex.service.client.cache.DirectoryCache.entryKey (DirectoryCache.java:149)
    at org.sonatype.ossindex.service.client.cache.DirectoryCache.entryFile (DirectoryCache.java:157)
    at org.sonatype.ossindex.service.client.cache.DirectoryCache.putAll (DirectoryCache.java:134)

The URL https://ossindex.sonatype.org/api/v3/component-report is throwing 429 (Rate limiting)

+2
achintSatsangi on May 25, 2022

We are also experiencing this same issue. I did some investigating and this seems to be caused by handling of the response failing. That in turn results in the same request being sent on every dependency until rate limit is reached.

[DEBUG] Error requesting component reports
java.lang.NullPointerException
    at org.sonatype.ossindex.service.client.cache.DirectoryCache.entryKey (DirectoryCache.java:149)
    at org.sonatype.ossindex.service.client.cache.DirectoryCache.entryFile (DirectoryCache.java:157)
    at org.sonatype.ossindex.service.client.cache.DirectoryCache.putAll (DirectoryCache.java:134)
    at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.requestComponentReports (OssindexClientImpl.java:171)
    at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.requestReports (OssIndexAnalyzer.java:219)
    at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:134)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run (FutureTask.java:264)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
    at java.lang.Thread.run (Thread.java:829)
[WARNING] An error occurred while analyzing '/home/user/.m2/repository/com/amazonaws/aws-java-sdk-mediaconnect/1.11.863/aws-java-sdk-mediaconnect-1.11.863.jar' (Sonatype OSS Index Analyzer).
[DEBUG] 
org.owasp.dependencycheck.analyzer.exception.AnalysisException: Failed to request component-reports
    at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:157)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run (FutureTask.java:264)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
    at java.lang.Thread.run (Thread.java:829)
Caused by: java.lang.NullPointerException
    at org.sonatype.ossindex.service.client.cache.DirectoryCache.entryKey (DirectoryCache.java:149)
    at org.sonatype.ossindex.service.client.cache.DirectoryCache.entryFile (DirectoryCache.java:157)
    at org.sonatype.ossindex.service.client.cache.DirectoryCache.putAll (DirectoryCache.java:134)
    at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.requestComponentReports (OssindexClientImpl.java:171)
    at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.requestReports (OssIndexAnalyzer.java:219)
    at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:134)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run (FutureTask.java:264)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
    at java.lang.Thread.run (Thread.java:829)

There is a large amount of these failed requests until eventually only rate-limit is logged.

+2
jwwallin on May 25, 2022

@danielbraeutigam thanks, but we have many projects dependent on that. So, we need to update for all of them?

+2
ankurga on May 25, 2022

I am facing this issue now, seems to be same behaviour:

… [DependencyCheck] [WARN] An error occurred while analyzing ‘/var/jenkins_home/workspace/xxx/node_modules/@blueprintjs/core/lib/cjs/components/panel-stack2/panelStack2.js’ (Sonatype OSS Index Analyzer). … [DependencyCheck] [ERROR] Failed to request component-reports [DependencyCheck] [ERROR] OSS Index rate limit exceeded …

I tried providing a username and password to authenticate with OSS but the problem persists.

+1
Redirts on Oct 18, 2022

We have been facing this issue too!.But the cause seems to be different. AnalysisException: Failed to request component-reports caused by SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed caused by ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed caused by CertPathValidatorException: validity check failed caused by CertificateExpiredException: NotAfter: Thu May 26 09:59:59 AEST 2022 image

owasp gradle plugin version. - 7.1.0.1 What’s the resolution for this issue

The issue is resolved now.We don’t face this issue now.

+1
Subhalakshmi1986 on May 26, 2022

@Subhalakshmi1986 Looks like it expired a few hours ago, so a new issue.

+1
chadlwilson on May 26, 2022

Fix mentioned in https://github.com/jeremylong/DependencyCheck/issues/4535#issuecomment-1137283693 worked for me now without changing any configuration.

+1
danielbraeutigam on May 25, 2022

see https://github.com/jeremylong/DependencyCheck/issues/4535#issuecomment-1137136998

+1
NorthernKgalagadi on May 25, 2022

I wouldn’t recommend disabling the oss indexer though, we are currently getting four failures with the indexer enabled, but none with it disabled. I would instead recommend registering with oss index and setting a username and password / api key.

Looks like currently you cannot register on ossindex.sonatype getting a 500 error

+1
garyc0221 on May 25, 2022

It looks like sonatype have started rate limiting more aggressively for anonymous accounts. One solution is to register for an account with sonatype and supply a username and password / api key e.g. for gradle users

dependencyCheck {
  analyzers.ossIndex.username = "<username>"
  analyzers.ossIndex.password = "<password>"
}

I’m not sure if this is the real issue. The first calls do not start with 429, but with NullPointerException, as already mentioned

cheers flash ⚡

Agreed, it didn’t look like that to me either, since I was getting exactly the same errors as you. However I can confirm that for me supplying credentials to the oss index then meant that I stopped getting the null pointer exception and rate limited exceeded errors and the check then succeeded.

+1
petergphillips on May 25, 2022
Read more comments on GitHub
← DependencyCheck: MavenCentral (504): Gateway Time-out
DependencyCheck: mvn: 9.0.6 Error updating the NVD Data →