From 760b65b360398da7c0e5ca6ce1b9b1377dfdee70 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Thu, 12 Jan 2023 06:43:15 -0500 Subject: [PATCH 1/2] fix: disable OSS Index Analyzer if rate limit exceeded - disable OSS Index Analyzer to prevent hundreds of exceptions in report - update documentation for the OSS Index Analyzer --- .../org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java | 5 +++-- .../dependency-check-gradle/configuration-aggregate.md | 1 + src/site/markdown/dependency-check-gradle/configuration.md | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java index 4d9eec3f7b5..12d566b036e 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java @@ -141,10 +141,11 @@ protected void analyzeDependency(final Dependency dependency, final Engine engin } else if (StringUtils.endsWith(message, "403")) { throw new AnalysisException("OSS Index access forbidden", ex); } else if (StringUtils.endsWith(message, "429")) { + this.setEnabled(false); if (warnOnly) { - LOG.warn("OSS Index rate limit exceeded", ex); + LOG.warn("OSS Index rate limit exceeded, disabling the analyzer", ex); } else { - throw new AnalysisException("OSS Index rate limit exceeded", ex); + throw new AnalysisException("OSS Index rate limit exceeded, disabling the analyzer", ex); } } else if (warnOnly) { LOG.warn("Error requesting component reports", ex); diff --git a/src/site/markdown/dependency-check-gradle/configuration-aggregate.md b/src/site/markdown/dependency-check-gradle/configuration-aggregate.md index 25611dc79ab..ec844e8c035 100644 --- a/src/site/markdown/dependency-check-gradle/configuration-aggregate.md +++ b/src/site/markdown/dependency-check-gradle/configuration-aggregate.md @@ -177,6 +177,7 @@ retirejs | filters | Configures the list of regular expessions ossIndex | enabled | Sets whether [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be used. This analyzer requires an internet connection. | true ossIndex | username | The optional user name to connect to Sonatype's OSS Index. |   ossIndex | password | The password or API token to connect to Sonatype's OSS Index. |   +ossIndex | warnOnlyOnRemoteErrors| Sets whether remote errors from the OSS Index (e.g. BAD GATEWAY, RATE LIMIT EXCEEDED) will result in warnings only instead of failing execution. | false slack | enabled | Whether or not slack notifications are enabled. | false slack | webhookUrl | The custom incoming webhook URL to receive notifications. |   diff --git a/src/site/markdown/dependency-check-gradle/configuration.md b/src/site/markdown/dependency-check-gradle/configuration.md index 12a787164a6..edc54914878 100644 --- a/src/site/markdown/dependency-check-gradle/configuration.md +++ b/src/site/markdown/dependency-check-gradle/configuration.md @@ -162,6 +162,7 @@ retirejs | filters | Configures the list of regular expessions ossIndex | enabled | Sets whether Sonatype's [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be used. This analyzer requires an internet connection. | true ossIndex | username | The optional user name to connect to Sonatype's OSS Index. |   ossIndex | password | The optional passwod or API token to connect to Sonatype's OSS Index, |   +ossIndex | warnOnlyOnRemoteErrors| Sets whether remote errors from the OSS Index (e.g. BAD GATEWAY, RATE LIMIT EXCEEDED) will result in warnings only instead of failing execution. | false slack | enabled | Whether or not slack notifications are enabled. | false slack | webhookUrl | The custom incoming webhook URL to receive notifications. |   hostedSuppressions | enabled | The number of hours to wait before checking for new updates of the hosted suppressions file . | 2 From b27fdd132244a8b03fe301685d4ff61468d10210 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 14 Jan 2023 06:26:25 -0500 Subject: [PATCH 2/2] fix: disable oss index analyzer when transport errors occur --- .../owasp/dependencycheck/analyzer/OssIndexAnalyzer.java | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java index 12d566b036e..1e7d1fa2c91 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java @@ -135,22 +135,23 @@ protected void analyzeDependency(final Dependency dependency, final Engine engin } catch (TransportException ex) { final String message = ex.getMessage(); final boolean warnOnly = getSettings().getBoolean(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, false); - + this.setEnabled(false); if (StringUtils.endsWith(message, "401")) { + LOG.error("Invalid credentials for the OSS Index, disabling the analyzer"); throw new AnalysisException("Invalid credentials provided for OSS Index", ex); } else if (StringUtils.endsWith(message, "403")) { + LOG.error("OSS Index access forbidden, disabling the analyzer"); throw new AnalysisException("OSS Index access forbidden", ex); } else if (StringUtils.endsWith(message, "429")) { - this.setEnabled(false); if (warnOnly) { LOG.warn("OSS Index rate limit exceeded, disabling the analyzer", ex); } else { throw new AnalysisException("OSS Index rate limit exceeded, disabling the analyzer", ex); } } else if (warnOnly) { - LOG.warn("Error requesting component reports", ex); + LOG.warn("Error requesting component reports, disabling the analyzer", ex); } else { - LOG.debug("Error requesting component reports", ex); + LOG.debug("Error requesting component reports, disabling the analyzer", ex); throw new AnalysisException("Failed to request component-reports", ex); } } catch (Exception e) {