feat: #7510 Display a dedicated message when receiving an HTTP 403 (#7575)

Author: aikebah

core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java

@@ -34,6 +34,7 @@
 import org.owasp.dependencycheck.utils.Downloader;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.FileUtils;
+import org.owasp.dependencycheck.utils.ForbiddenException;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.ResourceNotFoundException;
 import org.owasp.dependencycheck.utils.Settings;
@@ -309,6 +310,12 @@ public void analyzeDependency(Dependency dependency, Engine engine) throws Analy
             LOGGER.info("invalid sha1-hash on {}", dependency.getFileName());
         } catch (FileNotFoundException fnfe) {
             LOGGER.debug("Artifact not found in repository: '{}", dependency.getFileName());
+        } catch (ForbiddenException e) {
+            final String message = "Connection to Central search refused. This is most likely not a problem with " +
+                    "Dependency-Check itself and is related to network connectivity. Please check " +
+                    "https://central.sonatype.org/faq/403-error-central/.";
+            LOGGER.error(message);
+            throw new AnalysisException(message, e);
         } catch (IOException ioe) {
             final String message = "Could not connect to Central search. Analysis failed.";
             LOGGER.error(message, ioe);
@@ -330,7 +337,8 @@ public void analyzeDependency(Dependency dependency, Engine engine) throws Analy
      * @throws TooManyRequestsException if Central has received too many
      * requests.
      */
-    protected List<MavenArtifact> fetchMavenArtifacts(Dependency dependency) throws IOException, TooManyRequestsException {
+    protected List<MavenArtifact> fetchMavenArtifacts(Dependency dependency) throws IOException,
+            TooManyRequestsException {
         IOException lastException = null;
         long sleepingTimeBetweenRetriesInMillis = BASE_RETRY_WAIT;
         int triesLeft = numberOfRetries;

core/src/main/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearch.java

@@ -33,6 +33,7 @@
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Checksum;
 import org.owasp.dependencycheck.utils.Downloader;
+import org.owasp.dependencycheck.utils.ForbiddenException;
 import org.owasp.dependencycheck.utils.ResourceNotFoundException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.TooManyRequestsException;
@@ -44,7 +45,7 @@
  * Class of methods to search Artifactory for hashes and determine Maven GAV
  * from there.
  *
- * Data classes copied from JFrog's artifactory-client-java project.
+ * <p>Data classes copied from JFrog's artifactory-client-java project.</p>
  *
  * @author nhenneaux
  */
@@ -116,6 +117,8 @@ public List<MavenArtifact> search(Dependency dependency) throws IOException {
             throw new IOException(msg.append(" (400): Invalid URL").toString(), e);
         } catch (ResourceNotFoundException e) {
             throw new IOException(msg.append(" (404): Not found").toString(), e);
+        } catch (ForbiddenException e) {
+            throw new IOException(msg.append(" (403): Forbidden").toString(), e);
         }
     }
 

core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java

@@ -21,6 +21,7 @@
 import org.apache.hc.core5.http.message.BasicHeader;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.Downloader;
+import org.owasp.dependencycheck.utils.ForbiddenException;
 import org.owasp.dependencycheck.utils.ResourceNotFoundException;
 import org.owasp.dependencycheck.utils.TooManyRequestsException;
 import java.io.FileNotFoundException;
@@ -135,14 +136,14 @@ public CentralSearch(Settings settings) throws MalformedURLException {
      * @throws TooManyRequestsException if Central has received too many
      * requests.
      */
-    public List<MavenArtifact> searchSha1(String sha1) throws IOException, TooManyRequestsException {
+    public List<MavenArtifact> searchSha1(String sha1) throws IOException, TooManyRequestsException, ForbiddenException {
         if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {
             throw new IllegalArgumentException("Invalid SHA1 format");
         }
         if (cache != null) {
             final List<MavenArtifact> cached = cache.get(sha1);
             if (cached != null) {
-                LOGGER.debug("cache hit for Central: " + sha1);
+                LOGGER.debug("cache hit for Central: {}", sha1);
                 if (cached.isEmpty()) {
                     throw new FileNotFoundException("Artifact not found in Central");
                 }
@@ -180,6 +181,9 @@ public List<MavenArtifact> searchSha1(String sha1) throws IOException, TooManyRe
         } catch (URISyntaxException e) {
             final String errorMessage = "Could not convert central search URL to a URI " + e.getMessage();
             throw new IOException(errorMessage, e);
+        } catch (ForbiddenException e) {
+            final String errorMessage = "Forbidden access to MavenCentral " + e.getMessage();
+            throw new ForbiddenException(errorMessage, e);
         }
         if (cache != null) {
             cache.put(sha1, result);

core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusV2Search.java

@@ -34,6 +34,7 @@
 import org.apache.hc.core5.http.message.BasicHeader;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.Downloader;
+import org.owasp.dependencycheck.utils.ForbiddenException;
 import org.owasp.dependencycheck.utils.ResourceNotFoundException;
 import org.owasp.dependencycheck.utils.Settings;
 
@@ -147,7 +148,7 @@ public MavenArtifact searchSha1(String sha1) throws IOException {
                 throw new IOException("Could not connect to Nexus");
         } catch (ResourceNotFoundException e) {
             throw new FileNotFoundException("Artifact not found in Nexus");
-        } catch (XPathExpressionException | URISyntaxException e) {
+        } catch (XPathExpressionException | URISyntaxException | ForbiddenException e) {
             throw new IOException(e.getMessage(), e);
         }
     }

core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusV3Search.java

@@ -27,6 +27,7 @@
 import org.jetbrains.annotations.Nullable;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.Downloader;
+import org.owasp.dependencycheck.utils.ForbiddenException;
 import org.owasp.dependencycheck.utils.ResourceNotFoundException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.TooManyRequestsException;
@@ -146,7 +147,7 @@ private String retrievePageAndAddMatchingArtifact(CloseableHttpClient client, Li
         try {
             return Downloader.getInstance().fetchAndHandle(client, url, handler, List.of(new BasicHeader(HttpHeaders.ACCEPT,
                             ContentType.APPLICATION_JSON)));
-        } catch (TooManyRequestsException | ResourceNotFoundException | DownloadFailedException e) {
+        } catch (TooManyRequestsException | ResourceNotFoundException | DownloadFailedException | ForbiddenException e) {
             if (LOGGER.isDebugEnabled()) {
                 int responseCode = -1;
                 String responseMessage = "";

core/src/test/java/org/owasp/dependencycheck/analyzer/CentralAnalyzerTest.java

@@ -21,6 +21,7 @@
 import org.junit.Test;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.central.CentralSearch;
+import org.owasp.dependencycheck.utils.ForbiddenException;
 import org.owasp.dependencycheck.utils.TooManyRequestsException;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -50,7 +51,7 @@ public class CentralAnalyzerTest extends BaseTest {
 
     @Test
     @SuppressWarnings("PMD.NonStaticInitializer")
-    public void testFetchMavenArtifactsWithoutException() throws IOException, TooManyRequestsException {
+    public void testFetchMavenArtifactsWithoutException() throws IOException, TooManyRequestsException, ForbiddenException {
             CentralAnalyzer instance = new CentralAnalyzer();
             instance.setCentralSearch(centralSearch);
             when(dependency.getSha1sum()).thenReturn(SHA1_SUM);
@@ -64,7 +65,7 @@ public void testFetchMavenArtifactsWithoutException() throws IOException, TooMan
     @Test(expected = FileNotFoundException.class)
     @SuppressWarnings("PMD.NonStaticInitializer")
     public void testFetchMavenArtifactsRethrowsFileNotFoundException()
-            throws IOException, TooManyRequestsException {
+            throws IOException, TooManyRequestsException, ForbiddenException {
         CentralAnalyzer instance = new CentralAnalyzer();
         instance.setCentralSearch(centralSearch);
         when(dependency.getSha1sum()).thenReturn(SHA1_SUM);
@@ -75,7 +76,7 @@ public void testFetchMavenArtifactsRethrowsFileNotFoundException()
     @Test(expected = IOException.class)
     @SuppressWarnings("PMD.NonStaticInitializer")
     public void testFetchMavenArtifactsAlwaysThrowsIOException()
-            throws IOException, TooManyRequestsException {
+            throws IOException, TooManyRequestsException, ForbiddenException {
         getSettings().setInt(Settings.KEYS.ANALYZER_CENTRAL_RETRY_COUNT, 1);
         getSettings().setBoolean(Settings.KEYS.ANALYZER_CENTRAL_USE_CACHE, false);
         CentralAnalyzer instance = new CentralAnalyzer();

utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java

@@ -649,7 +649,7 @@ public CloseableHttpClient getHttpClient(boolean useProxy) {
      * @throws ResourceNotFoundException When HTTP status 404 is encountered
      */
     public <T> T fetchAndHandle(@NotNull URL url, @NotNull HttpClientResponseHandler<T> handler)
-            throws IOException, TooManyRequestsException, ResourceNotFoundException, URISyntaxException {
+            throws IOException, TooManyRequestsException, ResourceNotFoundException, URISyntaxException, ForbiddenException {
         return fetchAndHandle(url, handler, Collections.emptyList(), true);
     }
 
@@ -666,7 +666,7 @@ public <T> T fetchAndHandle(@NotNull URL url, @NotNull HttpClientResponseHandler
      * @throws ResourceNotFoundException When HTTP status 404 is encountered
      */
     public <T> T fetchAndHandle(@NotNull URL url, @NotNull HttpClientResponseHandler<T> handler, @NotNull List<Header> hdr)
-            throws IOException, TooManyRequestsException, ResourceNotFoundException, URISyntaxException {
+            throws IOException, TooManyRequestsException, ResourceNotFoundException, URISyntaxException, ForbiddenException {
         return fetchAndHandle(url, handler, hdr, true);
     }
 
@@ -684,7 +684,7 @@ public <T> T fetchAndHandle(@NotNull URL url, @NotNull HttpClientResponseHandler
      * @throws ResourceNotFoundException When HTTP status 404 is encountered
      */
     public <T> T fetchAndHandle(@NotNull URL url, @NotNull HttpClientResponseHandler<T> handler, @NotNull List<Header> hdr, boolean useProxy)
-            throws IOException, TooManyRequestsException, ResourceNotFoundException, URISyntaxException {
+            throws IOException, TooManyRequestsException, ResourceNotFoundException, URISyntaxException, ForbiddenException {
         final T data;
         if ("file".equals(url.getProtocol())) {
             final Path p = Paths.get(url.toURI());
@@ -717,7 +717,8 @@ public <T> T fetchAndHandle(@NotNull URL url, @NotNull HttpClientResponseHandler
      * @throws ResourceNotFoundException When HTTP status 404 is encountered
      */
     public <T> T fetchAndHandle(@NotNull CloseableHttpClient client, @NotNull URL url, @NotNull HttpClientResponseHandler<T> handler,
-                                @NotNull List<Header> hdr) throws IOException, TooManyRequestsException, ResourceNotFoundException {
+                                @NotNull List<Header> hdr) throws IOException, TooManyRequestsException,
+            ResourceNotFoundException, ForbiddenException {
         try {
             final String theProtocol = url.getProtocol();
             if (!("http".equals(theProtocol) || "https".equals(theProtocol))) {
@@ -732,6 +733,9 @@ public <T> T fetchAndHandle(@NotNull CloseableHttpClient client, @NotNull URL ur
         } catch (HttpResponseException hre) {
             final String messageFormat = "%s - Server status: %d - Server reason: %s";
             switch (hre.getStatusCode()) {
+                case 403:
+                    throw new ForbiddenException(String.format(messageFormat, url, hre.getStatusCode(),
+                            hre.getReasonPhrase()));
                 case 404:
                     throw new ResourceNotFoundException(String.format(messageFormat, url, hre.getStatusCode(), hre.getReasonPhrase()));
                 case 429:

utils/src/main/java/org/owasp/dependencycheck/utils/ForbiddenException.java

@@ -0,0 +1,32 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.owasp.dependencycheck.utils;
+
+import java.io.IOException;
+
+public class ForbiddenException extends IOException {
+
+    public ForbiddenException(String message) {
+        super(message);
+    }
+
+    public ForbiddenException(String message, ForbiddenException cause) {
+        super(message, cause);
+    }
+}