Dependency-Check CLI v3.3.0 is generating SaxParseException that did not occur with v3.2.1 (at least based on usage in Dependency-Check Jenkins plugin).
I am not a developer but I am wondering if this is a regression introduced by (v3.3.0) fix for #1016.
From Dependency-Check CLI log:
DEBUG - Begin Analysis of '/xxx/workspace/Archetype-Maven/zzz-dropwizard-swagger-archetype/target/dependency/plexus-utils-3.0.24.jar' (Jar Analyzer)
2018-07-25 10:11:38,447 org.owasp.dependencycheck.xml.pom.PomParser:97
DEBUG -
org.xml.sax.SAXParseException: Content is not allowed in prolog.
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1239)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:94)
at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:66)
at org.owasp.dependencycheck.xml.pom.PomUtils.readPom(PomUtils.java:62)
at org.owasp.dependencycheck.analyzer.JarAnalyzer.analyzePOM(JarAnalyzer.java:371)
at org.owasp.dependencycheck.analyzer.JarAnalyzer.analyzeDependency(JarAnalyzer.java:273)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:136)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
2018-07-25 10:11:38,448 org.owasp.dependencycheck.xml.pom.PomParser:68
DEBUG -
org.owasp.dependencycheck.xml.pom.PomParseException: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; Content is not allowed in prolog.
at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:98)
at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:66)
at org.owasp.dependencycheck.xml.pom.PomUtils.readPom(PomUtils.java:62)
at org.owasp.dependencycheck.analyzer.JarAnalyzer.analyzePOM(JarAnalyzer.java:371)
at org.owasp.dependencycheck.analyzer.JarAnalyzer.analyzeDependency(JarAnalyzer.java:273)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:136)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.xml.sax.SAXParseException: Content is not allowed in prolog.
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1239)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:94)
... 11 common frames omitted
2018-07-25 10:11:38,449 org.owasp.dependencycheck.xml.pom.PomUtils:70
WARN - Unable to parse pom '/tmp/dctemp089467e9-a524-4207-8118-f5ce57235205/check3518320037875470105tmp/30/pom.xml'
2018-07-25 10:11:38,450 org.owasp.dependencycheck.xml.pom.PomUtils:81
DEBUG -
org.owasp.dependencycheck.xml.pom.PomParseException: Unable to parse pom '/tmp/dctemp089467e9-a524-4207-8118-f5ce57235205/check3518320037875470105tmp/30/pom.xml'
at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:69)
at org.owasp.dependencycheck.xml.pom.PomUtils.readPom(PomUtils.java:62)
at org.owasp.dependencycheck.analyzer.JarAnalyzer.analyzePOM(JarAnalyzer.java:371)
at org.owasp.dependencycheck.analyzer.JarAnalyzer.analyzeDependency(JarAnalyzer.java:273)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:136)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.owasp.dependencycheck.xml.pom.PomParseException: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; Content is not allowed in prolog.
at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:98)
at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:66)
... 10 common frames omitted
Caused by: org.xml.sax.SAXParseException: Content is not allowed in prolog.
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1239)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:94)
... 11 common frames omitted
2018-07-25 10:11:38,451 org.owasp.dependencycheck.AnalysisTask:90
I can attach a full log if need be.
Two problem POMS are:
<dependency>
<groupId>org.codehaus.plexus</groupId>
<artifactId>plexus-utils</artifactId>
<version>3.0.24</version>
</dependency>
and:
<dependency>
<groupId>javax.mail</groupId>
<artifactId>mailapi</artifactId>
<version>1.4.3</version>
</dependency>
Both POM files include a copyright statement as a comment at the start... not sure if that is the problem. See:
http://central.maven.org/maven2/org/codehaus/plexus/plexus-utils/3.0.24/plexus-utils-3.0.24.pom
Dependency-Check CLI v3.3.0 is generating SaxParseException that did not occur with v3.2.1 (at least based on usage in Dependency-Check Jenkins plugin).
I am not a developer but I am wondering if this is a regression introduced by (v3.3.0) fix for #1016.
From Dependency-Check CLI log:
I can attach a full log if need be.
Two problem POMS are:
and:
Both POM files include a copyright statement as a comment at the start... not sure if that is the problem. See:
http://central.maven.org/maven2/org/codehaus/plexus/plexus-utils/3.0.24/plexus-utils-3.0.24.pom