Skip to content

Bump dependency-check to 12.1.0 to fix OWASP Check job #4569

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
hezhangjian merged 1 commit into from
Apr 1, 2025
Merged

Bump dependency-check to 12.1.0 to fix OWASP Check job #4569

hezhangjian merged 1 commit into from
Apr 1, 2025

Conversation

@Shawyeok
Copy link
Contributor

@Shawyeok Shawyeok commented Mar 17, 2025
edited
Loading

Motivation

The CI Job OWASP Dependency Check has failed consistently since last month, below are the error details:

Error:  Unable to continue dependency-check analysis.
Error:  Failed to execute goal org.owasp:dependency-check-maven:10.0.2:aggregate (default) on project bookkeeper: Fatal exception(s) analyzing Apache BookKeeper :: Parent: One or more exceptions occurred during analysis:
Error:  	UpdateException: Error updating the NVD Data
Error:  		caused by NvdApiException: Failed to parse NVD data
Error:  		caused by ValueInstantiationException: Cannot construct instance of `io.github.jeremylong.openvulnerability.client.nvd.CvssV4Data$ModifiedCiaType`, problem: SAFETY
Error:   at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 3052240] (through reference chain: io.github.jeremylong.openvulnerability.client.nvd.CveApiJson20["vulnerabilities"]->java.util.ArrayList[1471]->io.github.jeremylong.openvulnerability.client.nvd.DefCveItem["cve"]->io.github.jeremylong.openvulnerability.client.nvd.CveItem["metrics"]->io.github.jeremylong.openvulnerability.client.nvd.Metrics["cvssMetricV40"]->java.util.ArrayList[0]->io.github.jeremylong.openvulnerability.client.nvd.CvssV4["cvssData"]->io.github.jeremylong.openvulnerability.client.nvd.CvssV4Data["modifiedSubsequentSystemIntegrity"])
Error:  		caused by IllegalArgumentException: SAFETY
Error:  	NoDataException: No documents exist
Error:  -> [Help 1]

According to dependency-check Mandatory Upgrade Notice:

Due to compatibility issues with the NVD API - all users must upgrade to 12.1.0 or later.

This patch is to do so.

@Shawyeok Shawyeok changed the title Bump dependency-check to 12.1.0 to rescue OWASP Check job Bump dependency-check to 12.1.0 to fix OWASP Check job Mar 18, 2025
@Shawyeok
Copy link
Contributor Author

Shawyeok commented Mar 18, 2025

Please feel free to take a look, thank you. @lhotari @eolivelli @zymap @hangc0276

OWASP Dependency Check failed due to CVE-2025-24970, which proved this PR fixed OWASP Dependency Check job successfully.

Error:  One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0': 
Error:  
Error:  netty-handler-4.1.115.Final.jar (pkg:maven/io.netty/[email protected], cpe:2.3:a:netty:netty:4.1.115:*:*:*:*:*:*:*): CVE-2025-24970(7.5)

Replication Tests failed due flaky test recorded in #4565

@Shawyeok
Copy link
Contributor Author

Shawyeok commented Mar 18, 2025

rerun failure checks

@hezhangjian hezhangjian merged commit bdc08bc into apache:master Apr 1, 2025
22 of 23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dlg99 dlg99 dlg99 approved these changes

@hezhangjian hezhangjian hezhangjian approved these changes

@zymap zymap zymap approved these changes

Assignees

@Shawyeok Shawyeok

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Shawyeok @dlg99 @hezhangjian @zymap