Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

updating from 11.1.0 -> 11.1.1 results to "Could not connect to Central search. Analysis failed." #7234

Closed
dkrowl opened this issue Dec 9, 2024 · 9 comments

Comments

@dkrowl
Copy link

dkrowl commented Dec 9, 2024

I'm using the gradle plugin.
With 11.1.0 the plugin performs without errors but with 11.1.1 I get this error:

Could not connect to Central search. Analysis failed.
java.io.IOException: Finally failed connecting to Central search. Giving up after 7 tries.
	at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts(CentralAnalyzer.java:362)
	at org.owasp.dependencycheck.analyzer.CentralAnalyzer.analyzeDependency(CentralAnalyzer.java:228)
	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: java.net.UnknownHostException: search.maven.org: Temporary failure in name resolution
	at java.base/java.net.Inet6AddressImpl.lookupAllHostAddr(Native Method)
	at java.base/java.net.InetAddress$PlatformNameService.lookupAllHostAddr(InetAddress.java:934)
	at java.base/java.net.InetAddress.getAddressesFromNameService(InetAddress.java:1543)
	at java.base/java.net.InetAddress$NameServiceAddresses.get(InetAddress.java:852)
	at java.base/java.net.InetAddress.getAllByName0(InetAddress.java:1533)

	at java.base/java.net.InetAddress.getAllByName(InetAddress.java:1306)
	at org.apache.hc.client5.http.SystemDefaultDnsResolver.resolve(SystemDefaultDnsResolver.java:48)
	at org.apache.hc.client5.http.impl.io.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:169)
	at org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:490)
	at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:164)
	at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:174)
	at org.apache.hc.client5.http.impl.classic.ConnectExec.execute(ConnectExec.java:144)
	at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
	at org.apache.hc.client5.http.impl.classic.ProtocolExec.execute(ProtocolExec.java:192)
	at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
	at org.apache.hc.client5.http.impl.classic.ContentCompressionExec.execute(ContentCompressionExec.java:150)
	at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
	at org.apache.hc.client5.http.impl.classic.HttpRequestRetryExec.execute(HttpRequestRetryExec.java:113)
	at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
	at org.apache.hc.client5.http.impl.classic.RedirectExec.execute(RedirectExec.java:110)
	at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
	at org.apache.hc.client5.http.impl.classic.InternalHttpClient.doExecute(InternalHttpClient.java:174)
	at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:245)
	at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:188)
	at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:162)
	at org.owasp.dependencycheck.utils.Downloader.fetchAndHandle(Downloader.java:601)
	at org.owasp.dependencycheck.data.central.CentralSearch.searchSha1(CentralSearch.java:179)
	at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts(CentralAnalyzer.java:3[39]
	... 8 more

I can revert back to 11.1.0 and the errors disappear.
I can also add the centralEnabled to false but the summary in the final report is empty. Though the scan information seems to be correct.
I'm behind a proxy BUT before there hasn't been a need to define proxy-information (nvd data comes from internal address etc.). I guess this is the problem now?

What has possibly changed between the 11.1.0 -> 11.1.1 versions that cause this?

@dkrowl dkrowl added the question label Dec 9, 2024
@madduci
Copy link

madduci commented Dec 9, 2024

Hi

i don't know if it might be related, but for the 11.1.0 i have the following error:

image

@jeremylong
Copy link
Owner

Central search is currently down: https://status.maven.org/

Previously, the gradle plugin did not rely on Central by default. FP/FN were identified because of differences between Maven and Gradle so we decided to re-enable the central search capability by default in the gradle plugin. If using the latest you can disable the central analyzer.

@dkrowl
Copy link
Author

dkrowl commented Dec 9, 2024

Thanks, I tried with the centralEnabled=false and it seem to populate the summary correctly after all.
I couldn't find a mention of this change in the changelog and the documentation isn't up to date.

@Zuplyx
Copy link

Zuplyx commented Dec 9, 2024

@jeremylong I feel like this situation could be handled better by DependencyCheck.

Currently it tries to search Central for every dependency until it eventually gives up after 7 tries. This causes builds with many dependencies to hang for a long time. In our case this took over an hour.

I feel a better approach would be to either automatically disable the Central Search or completely fail the analysis after a certain amount of failed searches.

@jeremylong
Copy link
Owner

@dkrowl - the gradle plugin is not maintained in this repo. You can see the change documented in the release notes here: https://github.com/dependency-check/dependency-check-gradle/releases/tag/v11.1.1

@jeremylong
Copy link
Owner

@Zuplyx good idea, that approach could likely be used for a few other external connections. Possibly even looking at status codes instead of just the number of failed attempts. We accept PRs if you've got time.

@weihan1394
Copy link

hi @jeremylong we are encountering the issue too. what is the impact if we centralEnabled=false?

@jeremylong
Copy link
Owner

You could end up with false negatives (i.e. unreported issues). See dependency-check/dependency-check-gradle#421

@jeremylong
Copy link
Owner

duplicate of #7232

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

5 participants