Describe the bug
Dependency Check fails with a 400 error when requesting something from the Sonatype OSS Index, leading to fewer CVEs found in the report and warnings in the job log like An error occurred while analyzing requirements.txt (Sonatype OSS Index Analyzer).
Version of dependency-check used
The problem occurs using version 9.2.0 of the CLI -- both docker and brew packaging
Log file
https://gist.github.com/francisATgwn/ece673ba589b75110a3aeecc9354708e
To Reproduce
Steps to reproduce the behavior:
- Use dependency check CLI with this CLI invocation
$ /usr/share/dependency-check/bin/dependency-check.sh --dbDriverName org.postgresql.Driver --connectionString "$DEPENDENCY_CHECK_CONNECTION" --dbUser "$DEPENDENCY_CHECK_USER" --dbPassword "$DEPENDENCY_CHECK_PASSWORD" --nvdApiKey "$NIST_NVD_API_KEY" --project $CI_PROJECT_NAME --out . --scan . --enableExperimental --format JUNIT --junitFailOnCVSS 4 --format HTML --failOnCVSS 4 --nodeAuditSkipDevDependencies $( [[ -e dependency-check-suppression.xml ]] && echo '--suppression dependency-check-suppression.xml' || echo '' )
Expected behavior
- CVEs from Sonatype OSS Index are included in the report
[WARN] An error occurred while analyzing '...' (Sonatype OSS Index Analyzer). does not appear in log- no HTTP 400 resulting in
org.owasp.dependencycheck.analyzer.exception.AnalysisException: Failed to request component-reports appearing in the Analysis Exceptions section of the HTML report
Additional context
This does not happen when run with the 8.4.3 docker image from the same environment on the same project at the same time.
The 8.4.3 CLI invocation is similar to the 9.2.0 invocation:
$ /usr/share/dependency-check/bin/dependency-check.sh --project $CI_PROJECT_NAME --out . --scan . --enableExperimental --format JUNIT --junitFailOnCVSS 4 --format HTML --failOnCVSS 4 --nodeAuditSkipDevDependencies --data dependency-check-data $( [[ -e dependency-check-suppression.xml ]] && echo '--suppression dependency-check-suppression.xml' || echo '' )
Describe the bug
Dependency Check fails with a 400 error when requesting something from the Sonatype OSS Index, leading to fewer CVEs found in the report and warnings in the job log like
An error occurred while analyzing requirements.txt (Sonatype OSS Index Analyzer).Version of dependency-check used
The problem occurs using version 9.2.0 of the CLI -- both docker and brew packaging
Log file
https://gist.github.com/francisATgwn/ece673ba589b75110a3aeecc9354708e
To Reproduce
Steps to reproduce the behavior:
Expected behavior
[WARN] An error occurred while analyzing '...' (Sonatype OSS Index Analyzer).does not appear in logorg.owasp.dependencycheck.analyzer.exception.AnalysisException: Failed to request component-reportsappearing in the Analysis Exceptions section of the HTML reportAdditional context
This does not happen when run with the 8.4.3 docker image from the same environment on the same project at the same time.
The 8.4.3 CLI invocation is similar to the 9.2.0 invocation: