我尝试在 Jenkins 的每个测试构建作业中使用 dependency-check-maven:
mvn org.owasp:dependency-check-maven:6.2.2:aggregate -DskipSystemScope=true -Dformat=ALL -DprettyPrint=true -DcentralAnalyzerEnabled=false -DassemblyAnalyzerEnabled=false -DyarnAuditAnalyzerEnabled=false -DbundleAuditAnalyzerEnabled=false -DversionCheckEnabled=true
不幸的是,我遇到了几个项目和节点审计分析器的问题,它检查package-lock.json文件。
在运行 Maven 的插件期间,日志中会出现警告:
[WARNING] An error occurred while analyzing '/var/lib/jenkins/workspace/testbuild/project/module-web/src/main/resources/dev/package-lock.json' (Node Audit Analyzer).
导致最终错误:
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.2.2:aggregate (default-cli) on project project: One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during analysis:
[ERROR] AnalysisException: Failed to read results from the NPM Audit API (NodeAuditAnalyzer); the analyzer is being disabled and may result in false negatives.
[ERROR] caused by SocketException: Connection reset
[ERROR] AnalysisException: Failed to read results from the NPM Audit API (NodeAuditAnalyzer); the analyzer is being disabled and may result in false negatives.
[ERROR] caused by IOException: Error writing to server
在大多数有问题的项目中,只有一个错误:SocketException: Connection resetOR IOException: Error writing to server,但有时它们都在同一个构建日志中。
为了使用这个插件,我添加了参数-DnodeAuditAnalyzerEnabled=false,但这不是我想要接受的解决方案。
我试图在调试模式下执行 Maven。这是一个提到错误的堆栈跟踪:
[DEBUG] Error reading dependency or connecting to NPM Audit API
java.io.IOException: Error writing to server
at sun.net.www.protocol.http.HttpURLConnection.writeRequests (HttpURLConnection.java:699)
at sun.net.www.protocol.http.HttpURLConnection.writeRequests (HttpURLConnection.java:711)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0 (HttpURLConnection.java:1585)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream (HttpURLConnection.java:1492)
at java.net.HttpURLConnection.getResponseCode (HttpURLConnection.java:480)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode (HttpsURLConnectionImpl.java:347)
at org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage (NodeAuditSearch.java:176)
at org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage (NodeAuditSearch.java:133)
at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzePackage (NodeAuditAnalyzer.java:188)
at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzeDependency (NodeAuditAnalyzer.java:145)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run (FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:624)
at java.lang.Thread.run (Thread.java:748)
[WARNING] An error occurred while analyzing '/var/lib/jenkins/workspace/testbuild/project/module-web/src/main/resources/dev/package-lock.json' (Node Audit Analyzer).
[DEBUG]
org.owasp.dependencycheck.analyzer.exception.AnalysisException: Failed to read results from the NPM Audit API (NodeAuditAnalyzer); the analyzer is being disabled and may result in false negatives.
at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzePackage (NodeAuditAnalyzer.java:197)
at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzeDependency (NodeAuditAnalyzer.java:145)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run (FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:624)
at java.lang.Thread.run (Thread.java:748)
Caused by: java.io.IOException: Error writing to server
at sun.net.www.protocol.http.HttpURLConnection.writeRequests (HttpURLConnection.java:699)
at sun.net.www.protocol.http.HttpURLConnection.writeRequests (HttpURLConnection.java:711)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0 (HttpURLConnection.java:1585)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream (HttpURLConnection.java:1492)
at java.net.HttpURLConnection.getResponseCode (HttpURLConnection.java:480)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode (HttpsURLConnectionImpl.java:347)
at org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage (NodeAuditSearch.java:176)
at org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage (NodeAuditSearch.java:133)
at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzePackage (NodeAuditAnalyzer.java:188)
at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzeDependency (NodeAuditAnalyzer.java:145)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run (FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:624)
at java.lang.Thread.run (Thread.java:748)
[INFO] Finished Node Audit Analyzer (31 seconds)
在调试模式下的同一日志中,我发现了 anylyzer 使用的 URL - https://registry.npmjs.org/-/npm/v1/security/audits也许这个服务有一些限制?
如果有任何帮助,我将不胜感激。