Describe the bug
The dependency-check throws an IllegalArgumentException URLDecoder: Incomplete trailing escape (%) pattern when analyzing the dependency org.scalameta:common_2.13:4.9.1. The actual culprit seems to be the transitive dependency com.google.summit:summit-ast:2.2.0 with following two softwareIdentifiers:
The second identifier is not a valid URL, leading to URLDecoder failing with Incomplete trailing escape (%) pattern.
Version of dependency-check used
The problem occurs using version 9.2.0 of the maven plugin. It does not occur with earlier versions.
Log file
Warning: An error occurred while analyzing '/home/runner/.m2/repository/org/scalameta/common_2.13/4.9.1/common_2.13-4.9.1.jar' (Sonatype OSS Index Analyzer).
[DEBUG]
org.owasp.dependencycheck.analyzer.exception.AnalysisException: Failed to request component-reports
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:170)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run (FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1136)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:635)
at java.lang.Thread.run (Thread.java:840)
Caused by: java.lang.IllegalArgumentException: URLDecoder: Incomplete trailing escape (%) pattern
at java.net.URLDecoder.decode (URLDecoder.java:230)
at java.net.URLDecoder.decode (URLDecoder.java:147)
at org.sonatype.goodies.packageurl.PercentEncoding.decode (PercentEncoding.java:78)
at org.sonatype.goodies.packageurl.PackageUrlParser.parseVersion (PackageUrlParser.java:144)
at org.sonatype.goodies.packageurl.PackageUrlParser.parse (PackageUrlParser.java:107)
at org.sonatype.goodies.packageurl.PackageUrl.parse (PackageUrl.java:293)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.parsePackageUrl (OssIndexAnalyzer.java:203)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$null$1 (OssIndexAnalyzer.java:223)
at java.util.stream.ReferencePipeline$3$1.accept (ReferencePipeline.java:197)
at java.util.stream.ReferencePipeline$2$1.accept (ReferencePipeline.java:179)
at java.util.TreeMap$KeySpliterator.forEachRemaining (TreeMap.java:3064)
at java.util.stream.AbstractPipeline.copyInto (AbstractPipeline.java:509)
at java.util.stream.AbstractPipeline.wrapAndCopyInto (AbstractPipeline.java:499)
at java.util.stream.ForEachOps$ForEachOp.evaluateSequential (ForEachOps.java:150)
at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential (ForEachOps.java:173)
at java.util.stream.AbstractPipeline.evaluate (AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.forEach (ReferencePipeline.java:596)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$requestReports$3 (OssIndexAnalyzer.java:225)
at java.util.Spliterators$ArraySpliterator.forEachRemaining (Spliterators.java:992)
at java.util.stream.ReferencePipeline$Head.forEach (ReferencePipeline.java:762)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.requestReports (OssIndexAnalyzer.java:221)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:136)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run (FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1136)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:635)
at java.lang.Thread.run (Thread.java:840)
Full log: https://github.com/acanda/code-analysis-maven-plugin/actions/runs/9236637535/job/25412701360?pr=289
To Reproduce
Steps to reproduce the behavior:
- Clone https://github.com/acanda/code-analysis-maven-plugin
- Checkout branch
renovate/org.owasp-dependency-check-maven-9.x
- Set the environment variable
NVD_API_KEY to your NVD API key
- Run
./mvnw dependency-check:check
- See error
Expected behavior
The dependency check should not throw an AnalysisException and finish the dependency check successfully.
Describe the bug
The dependency-check throws an IllegalArgumentException
URLDecoder: Incomplete trailing escape (%) patternwhen analyzing the dependency org.scalameta:common_2.13:4.9.1. The actual culprit seems to be thetransitivedependency com.google.summit:summit-ast:2.2.0 with following two softwareIdentifiers:The second identifier is not a valid URL, leading to URLDecoder failing with
Incomplete trailing escape (%) pattern.Version of dependency-check used
The problem occurs using version 9.2.0 of the maven plugin. It does not occur with earlier versions.
Log file
Full log: https://github.com/acanda/code-analysis-maven-plugin/actions/runs/9236637535/job/25412701360?pr=289
To Reproduce
Steps to reproduce the behavior:
renovate/org.owasp-dependency-check-maven-9.xNVD_API_KEYto your NVD API key./mvnw dependency-check:checkExpected behavior
The dependency check should not throw an
AnalysisExceptionand finish the dependency check successfully.