Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add username&password to the hostedSuppressions #5569

Closed
yonyes opened this issue Mar 20, 2023 · 1 comment
Closed

Add username&password to the hostedSuppressions #5569

yonyes opened this issue Mar 20, 2023 · 1 comment

Comments

@yonyes
Copy link

yonyes commented Mar 20, 2023

Is your feature request related to a problem? Please describe.
With the latest versions of the Gradle plugin (8+), it attempts to retrieve data from https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml. Without storing its certificate on our machine, we are unable to access this site directly. Sadly, its certificate is updated almost every day, and we cannot do this process on every machine every day, so we are stuck.

The file above can be added to our internal Artifactory every day. By using hostedSuppressions, everyone will be able to access it. However, in our Artifactory, there are usernames and API tokens/passwords, and the current hostedSuppressions configuration doesn't provide anything besides the URL.

Describe the solution you'd like
Add username and API token/password to the hostedSuppressions.

Describe alternatives you've considered
I don't have any.

Additional context
In the case that you try to run the plugin without making any changes, you will receive these errors (which is indicative of a missing certificate):

Error downloading file https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml; unable to connect.
.
.
.
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
.
.
.
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 .
.
.
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

In the case that you try to run the plugin with our Artifactory URL,

    analyzers {
        hostedSuppressions {
            url = "https://*****.jfrog.io/artifactory/******/owasp/publishedSuppressions.xml"
        }
        assemblyEnabled = false
    }

you will receive these errors (which is indicative of a missing username&password):
Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Error retrieving https://*****.jfrog.io/artifactory/******/owasp/publishedSuppressions.xml; received response code 401; null

@aikebah
Copy link
Collaborator

aikebah commented Mar 22, 2023

Duplicate of #5387

@aikebah aikebah marked this as a duplicate of #5387 Mar 22, 2023
@aikebah aikebah closed this as not planned Won't fix, can't repro, duplicate, stale Mar 22, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 21, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

2 participants