-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ODC container fails to connect to "central" #6994
Comments
Same error for us. Since the last time this worked, we haven't made any changes to my knowledge. The error appeared this morning |
I think this may be an issue on central itself, but I wouldn't be putting my hand in the fire for that. I just did a basic GET on the URI https://search.maven.org/solrsearch/select and it took a good 15 seconds to get an actual response (400) after the TLS was established... |
I think I hit the bulleye; https://status.maven.org/ |
That's right. Already spotted the status-mail flood in my mailbox. |
I've noticed the instability of the "legacy search" has been going around for ~ 2 weeks or so (i.e. CI jobs keeps failing on timeouts)... is that maven central service something the dependency checker cannot work without? (i.e. it is the "source of truth" same as NVD API for some required information) According to Maven Centrals FAQ the "legacy search API" is not in EoL (although the information related to future improvement plans seems to be few years old) and it seems to be the only available API to use the search functionality (or at least I couldn't find any alternatives from their documentation) -> there's probably no better working alternatives to use as the data source 🤔. p.s. I think that OWASP dependency checker is a great tool. Thank you for all the effort. 💚 |
@finnlander The importance of central search (CentralAnalyzer) varies depending on the exact usecase. In case of maven/gradle plugin most of the time maven coordinates of dependencies will be known. (though in case of jar/war packaged inside an ear/war dependency you might still need it for a clean match to the maven artifact coordinates). When using the CLI (as in the case of the docker container) the analyzer is, for Maven Central hosted libraries, often key in being able to reliably link the corresponding maven coordinates (central analyzer uses the hash of the library to discover hash-matching artifacts in Maven Central). Having properly identified maven G/A/V coordinates for jar artifacts helps to build a proper package-url so that the OSSINDEX can also be consulted for known vulnerabilities. If your CI environment is using a Nexus repository manager as a caching proxy between your CI and Maven Central you should be able to swap out the central analyzer for the Nexus analyzer. If your projects do not have dependencies on maven-central hosted libraries it can be disabled without any effect, as the hash-searches would not surface any match. |
@aikebah , Would your suggestion for the Nexus repository hold true for Artifactory as well ? As we're having many issues right now with it, it would also reduce the load on them... |
@elafontaine Yes, it holds true for Artifactory/ArtifactoryAnalyzer in case your use of Artifactory includes using it as a caching proxy for artifacts that are hosted on Maven Central. |
@aikebah I was able to get time on this, and I still see the central analyzer being used. What exactly should I be doing ? 1- Disable the central analyzer and enable artifactory (I don't think that's the right option) One of the reason I'm pretty sure it's going upstream is because the artifactory repo is taking 6s while the central analyser is still taking 206s on execution... I may be wrong though... not sure how to enable debug logs... |
@elafontaine If your artifactory is also mirroring central then I would expect option 1) be the right one (no need to also search central for a sha1 match) Based on the current status page of Maven it looks like they did not (yet?) acknowledge the outage that gave you a 504 result. |
I tried option 1 and this is the output ;
Could it be that there is another issue with Artifactory analyzer ? |
I ran the checks with and without the central analyzer and the results are differents. With the central analyzer, I do not get the message above, so I don't know what isn't working as we do mirror on artifactory. My guess is that we should probably be polling the pom.xml from upstream when building, but it may not be happening (security concerns there). I tested both unauthenticated and authenticated on artifactory as well. At this point, the result is richer with maven central and the output is not throwing lines (see above). I'll keep on using central, but if you figure out why the difference happen, I would love to know and possibly update our side. |
Describe the bug
Since the last update, our jobs have been failing to execute the "Central Analyzer" ;
Version of dependency-check used
latest
Log file
To Reproduce
Steps to reproduce the behavior:
target
/usr/share/dependency-check/bin/dependency-check.sh --failOnCVSS 5 --noupdate --out "target" --scan 'target/**/*.jar' ${SUPPRESSION_FILE_PATH:+--suppression "$SUPPRESSION_FILE_PATH"}
Expected behavior
No error OR errors because of vulnerabilities found in the jars.
Additional context
This is ran in a pipeline with internet access, so the error makes no sense to me... I will try to confirm the direct connectivity to the default URI ;
The text was updated successfully, but these errors were encountered: