Skip to content

fix: OSS Index Analyzer SocketTimeoutException exception handling based on warn only parameter#5845

Merged
aikebah merged 2 commits intodependency-check:mainfrom
frozenSolid:ossindex-socket-timeout
Jul 29, 2023
Merged

fix: OSS Index Analyzer SocketTimeoutException exception handling based on warn only parameter#5845
aikebah merged 2 commits intodependency-check:mainfrom
frozenSolid:ossindex-socket-timeout

Conversation

@frozenSolid
Copy link
Copy Markdown
Contributor

@frozenSolid frozenSolid commented Jul 27, 2023

Fixes Issue

When OSS Index is down and not responding on its TCP socket, a SocketTimeoutException is thrown by the analyzer regardless of the ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS setting.
I encountered this issue this morning in 8.3.1:

exception: org.owasp.dependencycheck.analyzer.exception.AnalysisException: Failed to request component-reports
org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:159)
org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
java.base/java.lang.Thread.run(Thread.java:833)

Read timed out
cause: java.net.SocketTimeoutException: Read timed out java.base/sun.nio.ch.NioSocketImpl.timedRead(NioSocketImpl.java:283)
java.base/sun.nio.ch.NioSocketImpl.implRead(NioSocketImpl.java:309)
java.base/sun.nio.ch.NioSocketImpl.read(NioSocketImpl.java:350)
java.base/sun.nio.ch.NioSocketImpl$1.read(NioSocketImpl.java:803)
java.base/java.net.Socket$SocketInputStream.read(Socket.java:976)
java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:484)
java.base/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:478)
java.base/sun.security.ssl.SSLSocketInputRecord.bytesInCompletePacket(SSLSocketInputRecord.java:70)
java.base/sun.security.ssl.SSLSocketImpl.readApplicationRecord(SSLSocketImpl.java:1465)
java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1069)
java.base/java.io.BufferedInputStream.fill(BufferedInputStream.java:244)
java.base/java.io.BufferedInputStream.read1(BufferedInputStream.java:284)
java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:343)
java.base/sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:824)
java.base/sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:759)
java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1691)
java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1592)
java.base/java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:529)
java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:308)
[org.sonatype.ossindex.service.client.transport.HttpUrlConnectionTransport.post](http://org.sonatype.ossindex.service.client.transport.httpurlconnectiontransport.post/)(HttpUrlConnectionTransport.java:95)
org.sonatype.ossindex.service.client.internal.OssindexClientImpl.doRequestComponentReports(OssindexClientImpl.java:204)
org.sonatype.ossindex.service.client.internal.OssindexClientImpl.requestComponentReports(OssindexClientImpl.java:170)
org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.requestReports(OssIndexAnalyzer.java:219)
org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:134)
org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
java.base/java.lang.Thread.run(Thread.java:833)

Description of Change

This PR will use the ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS to determine whether an error or warning should be returned in the event of OSS Index causing a SocketTimeoutException to be raised.

Have test cases been added to cover the new functionality?

yes

Thanks for all of your awesome work on Dependency check!

@frozenSolid
OSS Index sockettimeout handling
a1714ce 
OSS Index sockettimeout handling
@boring-cyborg boring-cyborg Bot added core changes to core tests test cases labels Jul 27, 2023
@frozenSolid frozenSolid changed the title OSS Index Analyzer SocketTimeoutException exception handling based on warn only parameter fix: OSS Index Analyzer SocketTimeoutException exception handling based on warn only parameter Jul 27, 2023
@frozenSolid
Copy link
Copy Markdown
Contributor Author

frozenSolid commented Jul 27, 2023

added fix: prefix to PR title 👍

@aikebah aikebah changed the title fix: OSS Index Analyzer SocketTimeoutException exception handling based on warn only parameter fix: OSS Index Analyzer SocketTimeoutException exception handling based on warn only parameter Jul 28, 2023
@aikebah
Copy link
Copy Markdown
Collaborator

aikebah commented Jul 28, 2023

added fix: prefix to PR title 👍

make sure to not add a leading space in the process next time ;)

aikebah
aikebah reviewed Jul 28, 2023
View reviewed changes
Comment thread core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
@aikebah aikebah added this to the 8.3.2 milestone Jul 28, 2023
@frozenSolid
this.setEnabled(false);
02a3dc5 
this.setEnabled(false);
@frozenSolid frozenSolid mentioned this pull request Jul 28, 2023
Closed
aikebah
aikebah approved these changes Jul 29, 2023
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aikebah aikebah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR

@aikebah aikebah merged commit 3147d91 into dependency-check:main Jul 29, 2023
@github-actions github-actions Bot locked as resolved and limited conversation to collaborators Dec 13, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@aikebah aikebah aikebah approved these changes

Assignees

No one assigned

Labels

core changes to core tests test cases

Projects

None yet

Milestone

8.4.0

Development

Successfully merging this pull request may close these issues.

2 participants

@frozenSolid @aikebah