Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New SAXParseException in DependencyCheck v3.3.0 #1400

Closed
msymons opened this issue Jul 25, 2018 · 8 comments
Closed

New SAXParseException in DependencyCheck v3.3.0 #1400

msymons opened this issue Jul 25, 2018 · 8 comments
Labels
bug

Comments

@msymons
Copy link

msymons commented Jul 25, 2018

Dependency-Check CLI v3.3.0 is generating SaxParseException that did not occur with v3.2.1 (at least based on usage in Dependency-Check Jenkins plugin).

I am not a developer but I am wondering if this is a regression introduced by (v3.3.0) fix for #1016.

From Dependency-Check CLI log:

DEBUG - Begin Analysis of '/xxx/workspace/Archetype-Maven/zzz-dropwizard-swagger-archetype/target/dependency/plexus-utils-3.0.24.jar' (Jar Analyzer)
2018-07-25 10:11:38,447 org.owasp.dependencycheck.xml.pom.PomParser:97
DEBUG - 
org.xml.sax.SAXParseException: Content is not allowed in prolog.
	at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1239)
	at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
	at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:94)
	at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:66)
	at org.owasp.dependencycheck.xml.pom.PomUtils.readPom(PomUtils.java:62)
	at org.owasp.dependencycheck.analyzer.JarAnalyzer.analyzePOM(JarAnalyzer.java:371)
	at org.owasp.dependencycheck.analyzer.JarAnalyzer.analyzeDependency(JarAnalyzer.java:273)
	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:136)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
2018-07-25 10:11:38,448 org.owasp.dependencycheck.xml.pom.PomParser:68
DEBUG - 
org.owasp.dependencycheck.xml.pom.PomParseException: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; Content is not allowed in prolog.
	at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:98)
	at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:66)
	at org.owasp.dependencycheck.xml.pom.PomUtils.readPom(PomUtils.java:62)
	at org.owasp.dependencycheck.analyzer.JarAnalyzer.analyzePOM(JarAnalyzer.java:371)
	at org.owasp.dependencycheck.analyzer.JarAnalyzer.analyzeDependency(JarAnalyzer.java:273)
	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:136)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
Caused by: org.xml.sax.SAXParseException: Content is not allowed in prolog.
	at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1239)
	at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
	at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:94)
	... 11 common frames omitted
2018-07-25 10:11:38,449 org.owasp.dependencycheck.xml.pom.PomUtils:70
WARN  - Unable to parse pom '/tmp/dctemp089467e9-a524-4207-8118-f5ce57235205/check3518320037875470105tmp/30/pom.xml'
2018-07-25 10:11:38,450 org.owasp.dependencycheck.xml.pom.PomUtils:81
DEBUG - 
org.owasp.dependencycheck.xml.pom.PomParseException: Unable to parse pom '/tmp/dctemp089467e9-a524-4207-8118-f5ce57235205/check3518320037875470105tmp/30/pom.xml'
	at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:69)
	at org.owasp.dependencycheck.xml.pom.PomUtils.readPom(PomUtils.java:62)
	at org.owasp.dependencycheck.analyzer.JarAnalyzer.analyzePOM(JarAnalyzer.java:371)
	at org.owasp.dependencycheck.analyzer.JarAnalyzer.analyzeDependency(JarAnalyzer.java:273)
	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:136)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
Caused by: org.owasp.dependencycheck.xml.pom.PomParseException: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; Content is not allowed in prolog.
	at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:98)
	at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:66)
	... 10 common frames omitted
Caused by: org.xml.sax.SAXParseException: Content is not allowed in prolog.
	at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1239)
	at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
	at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:94)
	... 11 common frames omitted
2018-07-25 10:11:38,451 org.owasp.dependencycheck.AnalysisTask:90

I can attach a full log if need be.

Two problem POMS are:

<dependency>
    <groupId>org.codehaus.plexus</groupId>
    <artifactId>plexus-utils</artifactId>
    <version>3.0.24</version>
</dependency>

and:

<dependency>
    <groupId>javax.mail</groupId>
    <artifactId>mailapi</artifactId>
    <version>1.4.3</version>
</dependency>

Both POM files include a copyright statement as a comment at the start... not sure if that is the problem. See:

http://central.maven.org/maven2/org/codehaus/plexus/plexus-utils/3.0.24/plexus-utils-3.0.24.pom
@msymons
Copy link
Author

msymons commented Jul 25, 2018

For completeness, this is what the console output looks like for the jenkins plugin v3.3.0:

One or more exceptions were thrown while executing Dependency-Check
--
Exception Caught: org.owasp.dependencycheck.analyzer.exception.AnalysisException
Cause: Unable to parse pom '/tmp/dctemp56a96ec0-473b-4d08-89f6-9de24dfd1197/check8722691584186160247tmp/1254/pom.xml'
Message: org.owasp.dependencycheck.xml.pom.PomParseException: Unable to parse pom '/tmp/dctemp56a96ec0-473b-4d08-89f6-9de24dfd1197/check8722691584186160247tmp/1254/pom.xml'
org.owasp.dependencycheck.analyzer.exception.AnalysisException: org.owasp.dependencycheck.xml.pom.PomParseException: Unable to parse pom '/tmp/dctemp56a96ec0-473b-4d08-89f6-9de24dfd1197/check8722691584186160247tmp/1254/pom.xml'
at org.owasp.dependencycheck.xml.pom.PomUtils.readPom(PomUtils.java:82)
at org.owasp.dependencycheck.analyzer.JarAnalyzer.analyzePOM(JarAnalyzer.java:371)
at org.owasp.dependencycheck.analyzer.JarAnalyzer.analyzeDependency(JarAnalyzer.java:273)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:136)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.owasp.dependencycheck.xml.pom.PomParseException: Unable to parse pom '/tmp/dctemp56a96ec0-473b-4d08-89f6-9de24dfd1197/check8722691584186160247tmp/1254/pom.xml'
at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:69)
at org.owasp.dependencycheck.xml.pom.PomUtils.readPom(PomUtils.java:62)
... 9 more

@tonybaines
Copy link

I have similar stacktraces for a different POM in 3.3.0, resolved by falling back to 3.2.1

@jeremylong jeremylong added the bug label Jul 30, 2018
@jeremylong
Copy link
Owner

So I am having problems re-producing this bug. Any chance you can run:

mvn org.owasp:dependency-check-maven:3.3.0:check -X

Then provide the log output?

@tonybaines
Copy link

tonybaines commented Jul 31, 2018
edited
Loading

I'm using Gradle (4.9) as a build tool

This build.gradle reproduces the issue I'm seeing

plugins {
    id 'org.owasp.dependencycheck' version '3.3.0'
}

apply plugin: 'java'

repositories {
    jcenter()
}

dependencies {
    compile 'io.swagger:swagger-codegen-cli:2.3.1'
}

$ gradle dependencyCheckAnalyze --stacktrace

Which produces this (no stack trace for the 'Content is not allowed in prolog.' which actually appears on stderr)

> Task :dependencyCheckAnalyze
Verifying dependencies for project depscve
Checking for updates and analyzing vulnerabilities for dependencies
Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.

[Fatal Error] :1:1: Content is not allowed in prolog.
Unable to parse pom '/tmp/dctemp85e4af50-d038-4527-bfc4-f438f0ad4591/check6365453341250428597tmp/118/pom.xml'
An error occurred while analyzing '/home/tony/.gradle/caches/modules-2/files-2.1/io.swagger/swagger-codegen-cli/2.3.1/ea706b76ec9e1587e9deb7ffb6fdfe6e050cb430/swagger-codegen-cli-2.3.1.jar'.

> Task :dependencyCheckAnalyze FAILED
Generating report for project depscve
Found 13 vulnerabilities in project depscve


One or more dependencies were identified with known vulnerabilities:

swagger-codegen-cli-2.3.1.jar: gradle-wrapper.jar: ids:(cpe:/a:gradle:gradle:2.12) : CVE-2016-6199
swagger-codegen-cli-2.3.1.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.8.9): ids:(cpe:/a:fasterxml:jackson:2.8.9, cpe:/a:fasterxml:jackson-databind:2.8.9, com.fasterxml.jackson.core:jackson-databind:2.8.9) : CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489
swagger-codegen-cli-2.3.1.jar (shaded: io.airlift:airline:0.7): ids:(io.airlift:airline:0.7, cpe:/a:git_project:git:0.7, cpe:/a:git:git:0.7) : CVE-2008-5516, CVE-2010-2542, CVE-2010-3906, CVE-2013-0308, CVE-2014-9938, CVE-2015-7082, CVE-2015-7545, CVE-2017-14867


See the dependency-check report for more details.



FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':dependencyCheckAnalyze'.
> One or more exceptions occurred during analysis

* Try:
Run with --info or --debug option to get more log output. Run with --scan to get full insights.

* Exception is:
org.gradle.api.tasks.TaskExecutionException: Execution failed for task ':dependencyCheckAnalyze'.
	at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeActions(ExecuteActionsTaskExecuter.java:110)
	at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.execute(ExecuteActionsTaskExecuter.java:77)
	at org.gradle.api.internal.tasks.execution.OutputDirectoryCreatingTaskExecuter.execute(OutputDirectoryCreatingTaskExecuter.java:51)
	at org.gradle.api.internal.tasks.execution.SkipCachedTaskExecuter.execute(SkipCachedTaskExecuter.java:105)
	at org.gradle.api.internal.tasks.execution.SkipUpToDateTaskExecuter.execute(SkipUpToDateTaskExecuter.java:59)
	at org.gradle.api.internal.tasks.execution.ResolveTaskOutputCachingStateExecuter.execute(ResolveTaskOutputCachingStateExecuter.java:54)
	at org.gradle.api.internal.tasks.execution.ResolveBuildCacheKeyExecuter.execute(ResolveBuildCacheKeyExecuter.java:66)
	at org.gradle.api.internal.tasks.execution.ValidatingTaskExecuter.execute(ValidatingTaskExecuter.java:59)
	at org.gradle.api.internal.tasks.execution.SkipEmptySourceFilesTaskExecuter.execute(SkipEmptySourceFilesTaskExecuter.java:101)
	at org.gradle.api.internal.tasks.execution.FinalizeInputFilePropertiesTaskExecuter.execute(FinalizeInputFilePropertiesTaskExecuter.java:44)
	at org.gradle.api.internal.tasks.execution.CleanupStaleOutputsExecuter.execute(CleanupStaleOutputsExecuter.java:91)
	at org.gradle.api.internal.tasks.execution.ResolveTaskArtifactStateTaskExecuter.execute(ResolveTaskArtifactStateTaskExecuter.java:62)
	at org.gradle.api.internal.tasks.execution.SkipTaskWithNoActionsExecuter.execute(SkipTaskWithNoActionsExecuter.java:59)
	at org.gradle.api.internal.tasks.execution.SkipOnlyIfTaskExecuter.execute(SkipOnlyIfTaskExecuter.java:54)
	at org.gradle.api.internal.tasks.execution.ExecuteAtMostOnceTaskExecuter.execute(ExecuteAtMostOnceTaskExecuter.java:43)
	at org.gradle.api.internal.tasks.execution.CatchExceptionTaskExecuter.execute(CatchExceptionTaskExecuter.java:34)
	at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.run(EventFiringTaskExecuter.java:51)
	at org.gradle.internal.operations.DefaultBuildOperationExecutor$RunnableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:300)
	at org.gradle.internal.operations.DefaultBuildOperationExecutor$RunnableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:292)
	at org.gradle.internal.operations.DefaultBuildOperationExecutor.execute(DefaultBuildOperationExecutor.java:174)
	at org.gradle.internal.operations.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:90)
	at org.gradle.internal.operations.DelegatingBuildOperationExecutor.run(DelegatingBuildOperationExecutor.java:31)
	at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter.execute(EventFiringTaskExecuter.java:46)
	at org.gradle.execution.taskgraph.LocalTaskInfoExecutor.execute(LocalTaskInfoExecutor.java:42)
	at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareWorkItemExecutor.execute(DefaultTaskExecutionGraph.java:273)
	at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareWorkItemExecutor.execute(DefaultTaskExecutionGraph.java:258)
	at org.gradle.execution.taskgraph.DefaultTaskPlanExecutor$ExecutorWorker$1.execute(DefaultTaskPlanExecutor.java:135)
	at org.gradle.execution.taskgraph.DefaultTaskPlanExecutor$ExecutorWorker$1.execute(DefaultTaskPlanExecutor.java:130)
	at org.gradle.execution.taskgraph.DefaultTaskPlanExecutor$ExecutorWorker.execute(DefaultTaskPlanExecutor.java:200)
	at org.gradle.execution.taskgraph.DefaultTaskPlanExecutor$ExecutorWorker.executeWithWork(DefaultTaskPlanExecutor.java:191)
	at org.gradle.execution.taskgraph.DefaultTaskPlanExecutor$ExecutorWorker.run(DefaultTaskPlanExecutor.java:130)
	at org.gradle.internal.concurrent.ExecutorPolicy$CatchAndRecordFailures.onExecute(ExecutorPolicy.java:63)
	at org.gradle.internal.concurrent.ManagedExecutorImpl$1.run(ManagedExecutorImpl.java:46)
	at org.gradle.internal.concurrent.ThreadFactoryImpl$ManagedThreadRunnable.run(ThreadFactoryImpl.java:55)
Caused by: org.gradle.api.GradleException: One or more exceptions occurred during analysis
	at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.analyze(AbstractAnalyze.groovy:124)
	at org.gradle.internal.reflect.JavaMethod.invoke(JavaMethod.java:73)
	at org.gradle.api.internal.project.taskfactory.StandardTaskAction.doExecute(StandardTaskAction.java:46)
	at org.gradle.api.internal.project.taskfactory.StandardTaskAction.execute(StandardTaskAction.java:39)
	at org.gradle.api.internal.project.taskfactory.StandardTaskAction.execute(StandardTaskAction.java:26)
	at org.gradle.api.internal.AbstractTask$TaskActionWrapper.execute(AbstractTask.java:786)
	at org.gradle.api.internal.AbstractTask$TaskActionWrapper.execute(AbstractTask.java:753)
	at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter$1.run(ExecuteActionsTaskExecuter.java:131)
	at org.gradle.internal.operations.DefaultBuildOperationExecutor$RunnableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:300)
	at org.gradle.internal.operations.DefaultBuildOperationExecutor$RunnableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:292)
	at org.gradle.internal.operations.DefaultBuildOperationExecutor.execute(DefaultBuildOperationExecutor.java:174)
	at org.gradle.internal.operations.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:90)
	at org.gradle.internal.operations.DelegatingBuildOperationExecutor.run(DelegatingBuildOperationExecutor.java:31)
	at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeAction(ExecuteActionsTaskExecuter.java:120)
	at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeActions(ExecuteActionsTaskExecuter.java:99)
	... 33 more
Caused by: org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions occurred during dependency-check analysis
	Failed to initialize the RetireJS repo
	at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:693)
	at org.owasp.dependencycheck.Engine$analyzeDependencies$0.call(Unknown Source)
	at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.analyze(AbstractAnalyze.groovy:90)
	... 47 more


* Get more help at https://help.gradle.org

BUILD FAILED in 5s
1 actionable task: 1 executed

@tonybaines
Copy link

This is the same task, but using 3.2.1

> Task :dependencyCheckAnalyze
Verifying dependencies for project depscve
Checking for updates and analyzing vulnerabilities for dependencies
Generating report for project depscve
Found 13 vulnerabilities in project depscve


One or more dependencies were identified with known vulnerabilities:

swagger-codegen-cli-2.3.1.jar: gradle-wrapper.jar (cpe:/a:gradle:gradle:2.12) : CVE-2016-6199
swagger-codegen-cli-2.3.1.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml (cpe:/a:fasterxml:jackson:2.8.9, cpe:/a:fasterxml:jackson-databind:2.8.9, com.fasterxml.jackson.core:jackson-databind:2.8.9) : CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489
swagger-codegen-cli-2.3.1.jar/META-INF/maven/io.airlift/airline/pom.xml (io.airlift:airline:0.7, cpe:/a:git_project:git:0.7, cpe:/a:git:git:0.7) : CVE-2008-5516, CVE-2010-2542, CVE-2010-3906, CVE-2013-0308, CVE-2014-9938, CVE-2015-7082, CVE-2015-7545, CVE-2017-14867


See the dependency-check report for more details.



BUILD SUCCESSFUL in 10s
1 actionable task: 1 executed

@msymons
Copy link
Author

msymons commented Aug 1, 2018
edited
Loading

My original report, where the specific parse errors came from plexus-utils and mailapi, was also based on usage of swagger-codegen via org.zalando.stups:swagger-codegen-common.

    <dependencies>
        <dependency>
            <groupId>org.zalando.stups</groupId>
            <artifactId>swagger-codegen-common</artifactId>
            <version>0.4.16</version>
            <exclusions>
                <exclusion>
                    <groupId>org.codehaus.plexus</groupId>
                    <artifactId>plexus-archiver</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>org.apache.httpcomponents</groupId>
                    <artifactId>httpclient</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>org.apache.httpcomponents</groupId>
            <artifactId>httpclient</artifactId>
            <version>4.5.2</version>
        </dependency>
        <dependency>
            <groupId>org.codehaus.plexus</groupId>
            <artifactId>plexus-archiver</artifactId>
            <version>3.4</version>
        </dependency>
    </dependencies>

Thus, using maven-dependency-plugin:3.0.0:tree...

[INFO] xxx-yyy:pom:1.4.10-SNAPSHOT
[INFO] +- org.zalando.stups:swagger-codegen-common:jar:0.4.16:compile
[INFO] |  \- io.swagger:swagger-codegen:jar:2.1.3:compile
[INFO] |     +- io.swagger:swagger-parser:jar:1.0.10:compile
[INFO] |     +- io.swagger:swagger-compat-spec-parser:jar:1.0.10:compile
[INFO] |     |  +- com.github.fge:json-schema-validator:jar:2.2.3:compile
[INFO] |     |  |  +- joda-time:joda-time:jar:2.3:compile
[INFO] |     |  |  +- com.github.fge:json-schema-core:jar:1.2.1:compile
[INFO] |     |  |  |  +- com.github.fge:uri-template:jar:0.9:compile
[INFO] |     |  |  |  \- org.mozilla:rhino:jar:1.7R4:compile
[INFO] |     |  |  +- com.googlecode.libphonenumber:libphonenumber:jar:6.0:compile
[INFO] |     |  |  +- javax.mail:mailapi:jar:1.4.3:compile
[INFO] |     |  |  |  \- javax.activation:activation:jar:1.1:compile
[INFO] |     |  |  +- com.google.code.findbugs:jsr305:jar:2.0.1:compile
[INFO] |     |  |  \- net.sf.jopt-simple:jopt-simple:jar:4.6:compile
[INFO] |     |  \- com.github.fge:json-patch:jar:1.6:compile
[INFO] |     |     \- com.github.fge:jackson-coreutils:jar:1.6:compile
[INFO] |     |        \- com.github.fge:msg-simple:jar:1.1:compile
[INFO] |     |           \- com.github.fge:btf:jar:1.2:compile
...
[INFO] \- org.codehaus.plexus:plexus-archiver:jar:3.4:compile
[INFO]    +- org.codehaus.plexus:plexus-utils:jar:3.0.24:compile
[INFO]    +- org.codehaus.plexus:plexus-io:jar:2.7.1:compile
[INFO]    +- commons-io:commons-io:jar:2.5:compile
[INFO]    +- org.apache.commons:commons-compress:jar:1.11:compile
[INFO]    +- org.iq80.snappy:snappy:jar:0.4:compile
[INFO]    \- org.tukaani:xz:jar:1.5:runtime

Do you need any additional info?

jeremylong added a commit that referenced this issue Aug 2, 2018
@jeremylong
patch for issue #1400
5d7c9a0
@tonybaines
Copy link

Thanks @jeremylong - 3.3.1 definitely fixes this for me

anderruiz pushed a commit to anderruiz/DependencyCheck that referenced this issue Sep 11, 2018
@jeremylong @anderruiz
patch for issue jeremylong#1400
8cf981a 
Conflicts:
	core/src/test/java/org/owasp/dependencycheck/xml/pom/PomParserTest.java
@lock
Copy link

lock bot commented Sep 27, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Sep 27, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tonybaines @jeremylong @msymons