Skip to content

Error running depndency-check with Maven/Jenkins #2073

Closed
Closed
Error running depndency-check with Maven/Jenkins#2073
Labels
bug
Milestone
5.2.0
@obotor

Description

@obotor
obotor
opened on Jul 15, 2019

Hi!
I am running into an issue with maven-dependency-check plugin.
The issue sums up to allowing XML/XSD parsing through Maven via Jenkins.
How should I set the accessExternalSchema property?
Thx

Logs

...
16:49:31 [INFO] Created CPE Index (4 seconds)
16:49:31 [WARNING] Unable to parse suppression xml file 'dependency-check-suppression.xml'
16:49:31 [WARNING] org.owasp.dependencycheck.xml.suppression.SuppressionParseException: org.xml.sax.SAXException: Line=2, Column=281: schema_reference: Failed to read schema document 'dependency-suppression.1.2.xsd', because 'file' access is not allowed due to restriction set by the accessExternalSchema property. 
16:49:31 [ERROR] Exception occurred initializing CPE Analyzer.
16:49:31 [INFO] Finished CPE Analyzer (4 seconds)
16:49:31 [INFO] Finished False Positive Analyzer (0 seconds)
16:49:31 [INFO] Finished NVD CVE Analyzer (0 seconds)
16:49:31 [INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
16:49:32 [WARNING] Unable to parse suppression xml file 'dependency-check-suppression.xml'
16:49:32 [WARNING] org.owasp.dependencycheck.xml.suppression.SuppressionParseException: org.xml.sax.SAXException: Line=2, Column=281: schema_reference: Failed to read schema document 'dependency-suppression.1.2.xsd', because 'file' access is not allowed due to restriction set by the accessExternalSchema property. 
16:49:32 [ERROR] Exception occurred initializing Vulnerability Suppression Analyzer.
16:49:32 [INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
16:49:32 [INFO] Finished Dependency Bundling Analyzer (0 seconds)
16:49:32 [INFO] Analysis Complete (5 seconds)
...

POM.xml

The plugin version is 5.1.0. A test with previous version 3.0.2 also failed in a similar manner.

<build>
  <pluginManagement>
    <plugins>
      ...
      <plugin>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-maven</artifactId>
        <version>${dependency.check.plugin.version}</version>
      </plugin>
     ....
    </plugins>
  </pluginManagement>
</build>
....
<profile>
  <id>owasp</id>
  <build>
    <plugins>
      <plugin>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-maven</artifactId>
        <executions>
          <execution>
            <goals>
              <goal>check</goal>
            </goals>
            <configuration>
              <outputDirectory>${project.build.directory}/owasp</outputDirectory>
              <name>dependency-check-report</name>
              <format>XML</format>
              <accessExternalSchema>all</accessExternalSchema>
              <showSummary>false</showSummary>
              <skipProvidedScope>true</skipProvidedScope>
              <rubygemsAnalyzerEnabled>false</rubygemsAnalyzerEnabled>
              <bundleAuditAnalyzerEnabled>false</bundleAuditAnalyzerEnabled>
              <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
              <nspAnalyzerEnabled>false</nspAnalyzerEnabled>
              <suppressionFiles>dependency-check-suppression.xml</suppressionFiles>
            </configuration>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>
</profile>

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions