Error org.owasp.dependencycheck.xml.pom.PomParseException with ojdbc7.jar analysis

[DmitriyStoyanov]

After upgrading OWASP Dependency Check CLI 3.2.0 -> 3.3.1 Faced with error:
org.owasp.dependencycheck.xml.pom.PomParseException: Unable to parse pom ...

after adding logs found, that issue with ojdbc7.jar file.
Just for test, I have created directory with only this jar file and started /d/tmp/dependency-check/bin/dependency-check.bat --project "OJDBC" --scan "." --format ALL --log odc.log

...
[INFO] Analysis Started
[INFO] Finished Archive Analyzer (1 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (0 seconds)
[WARN] Unable to parse pom 'C:\Users\User\AppData\Local\Temp\dctemp53e4902f-83d6-401c-883c-aaa181a26d9a\pom2726894874192483239.xml'
[WARN] An error occurred while analyzing 'D:\tmp\git\tmp\owasp-ojdbc-issue\ojdbc7.jar' (Central Analyzer).
[INFO] Finished Central Analyzer (388 seconds)
...
[INFO] Analysis Complete (392 seconds)
[ERROR] org.owasp.dependencycheck.xml.pom.PomParseException: Unable to parse pom 'C:\Users\User\AppData\Local\Temp\dctemp53e4902f-83d6-401c-883c-aaa181a26d9a\pom2726894874192483239.xml'

main issue that it cannot find needed lib in Central Repository:

DEBUG - Starting Central Analyzer
2018-08-11 15:42:33,522 org.owasp.dependencycheck.Engine:807
DEBUG - Parallel processing with up to 4 threads: Central Analyzer.
2018-08-11 15:42:33,522 org.owasp.dependencycheck.AnalysisTask:86
DEBUG - Begin Analysis of 'D:\tmp\git\tmp\owasp-ojdbc-issue\ojdbc7.jar' (Central Analyzer)
2018-08-11 15:42:33,523 org.owasp.dependencycheck.data.central.CentralSearch:126
DEBUG - Searching Central url https://search.maven.org/solrsearch/select?q=1:7c9b5984b2c1e32e7c8cf3331df77f31e89e24c2&wt=xml
2018-08-11 15:42:34,355 org.owasp.dependencycheck.analyzer.CentralAnalyzer:227
DEBUG - Central analyzer found artifact (cn.easyproject:ojdbc7:12.1.0.2.0) for dependency (ojdbc7.jar)
2018-08-11 15:42:34,355 org.owasp.dependencycheck.dependency.Dependency:512
DEBUG - Adding new maven identifier cn.easyproject:ojdbc7:12.1.0.2.0
2018-08-11 15:42:34,361 org.owasp.dependencycheck.analyzer.CentralAnalyzer:240
DEBUG - Downloading https://search.maven.org/remotecontent?filepath=cn/easyproject/ojdbc7/12.1.0.2.0/ojdbc7-12.1.0.2.0.pom
2018-08-11 15:42:34,361 org.owasp.dependencycheck.utils.Downloader:129
DEBUG - Attempting download of https://search.maven.org/remotecontent?filepath=cn/easyproject/ojdbc7/12.1.0.2.0/ojdbc7-12.1.0.2.0.pom
2018-08-11 15:42:36,523 org.owasp.dependencycheck.utils.Downloader:129
DEBUG - Attempting download of https://search.maven.org/remotecontent?filepath=cn/easyproject/ojdbc7/12.1.0.2.0/ojdbc7-12.1.0.2.0.pom
2018-08-11 15:42:40,107 org.owasp.dependencycheck.utils.Downloader:129
DEBUG - Attempting download of https://search.maven.org/remotecontent?filepath=cn/easyproject/ojdbc7/12.1.0.2.0/ojdbc7-12.1.0.2.0.pom
2018-08-11 15:42:46,725 org.owasp.dependencycheck.utils.Downloader:129
DEBUG - Attempting download of https://search.maven.org/remotecontent?filepath=cn/easyproject/ojdbc7/12.1.0.2.0/ojdbc7-12.1.0.2.0.pom
2018-08-11 15:42:59,330 org.owasp.dependencycheck.utils.Downloader:129
DEBUG - Attempting download of https://search.maven.org/remotecontent?filepath=cn/easyproject/ojdbc7/12.1.0.2.0/ojdbc7-12.1.0.2.0.pom
2018-08-11 15:43:23,938 org.owasp.dependencycheck.utils.Downloader:129
DEBUG - Attempting download of https://search.maven.org/remotecontent?filepath=cn/easyproject/ojdbc7/12.1.0.2.0/ojdbc7-12.1.0.2.0.pom
2018-08-11 15:44:12,559 org.owasp.dependencycheck.utils.Downloader:129
DEBUG - Attempting download of https://search.maven.org/remotecontent?filepath=cn/easyproject/ojdbc7/12.1.0.2.0/ojdbc7-12.1.0.2.0.pom
2018-08-11 15:45:49,205 org.owasp.dependencycheck.utils.Downloader:129
DEBUG - Attempting download of https://search.maven.org/remotecontent?filepath=cn/easyproject/ojdbc7/12.1.0.2.0/ojdbc7-12.1.0.2.0.pom
2018-08-11 15:49:02,053 org.owasp.dependencycheck.xml.pom.PomParser:68
DEBUG - 
java.io.FileNotFoundException: C:\Users\User\AppData\Local\Temp\dctemp53e4902f-83d6-401c-883c-aaa181a26d9a\pom2726894874192483239.xml (The system cannot find the file specified)
	at java.io.FileInputStream.open0(Native Method)
	at java.io.FileInputStream.open(Unknown Source)
	at java.io.FileInputStream.<init>(Unknown Source)
	at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:65)
	at org.owasp.dependencycheck.xml.pom.PomUtils.readPom(PomUtils.java:62)
	at org.owasp.dependencycheck.xml.pom.PomUtils.analyzePOM(PomUtils.java:139)
	at org.owasp.dependencycheck.analyzer.CentralAnalyzer.analyzeDependency(CentralAnalyzer.java:261)
	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:136)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
	at java.util.concurrent.FutureTask.run(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
2018-08-11 15:49:02,054 org.owasp.dependencycheck.xml.pom.PomUtils:70
WARN  - Unable to parse pom 'C:\Users\User\AppData\Local\Temp\dctemp53e4902f-83d6-401c-883c-aaa181a26d9a\pom2726894874192483239.xml'
2018-08-11 15:49:02,054 org.owasp.dependencycheck.xml.pom.PomUtils:81
DEBUG - 
org.owasp.dependencycheck.xml.pom.PomParseException: Unable to parse pom 'C:\Users\User\AppData\Local\Temp\dctemp53e4902f-83d6-401c-883c-aaa181a26d9a\pom2726894874192483239.xml'
	at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:69)
	at org.owasp.dependencycheck.xml.pom.PomUtils.readPom(PomUtils.java:62)
	at org.owasp.dependencycheck.xml.pom.PomUtils.analyzePOM(PomUtils.java:139)
	at org.owasp.dependencycheck.analyzer.CentralAnalyzer.analyzeDependency(CentralAnalyzer.java:261)
	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:136)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
	at java.util.concurrent.FutureTask.run(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
Caused by: java.io.FileNotFoundException: C:\Users\User\AppData\Local\Temp\dctemp53e4902f-83d6-401c-883c-aaa181a26d9a\pom2726894874192483239.xml (The system cannot find the file specified)
	at java.io.FileInputStream.open0(Native Method)
	at java.io.FileInputStream.open(Unknown Source)
	at java.io.FileInputStream.<init>(Unknown Source)
	at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:65)
	... 10 common frames omitted
2018-08-11 15:49:02,054 org.owasp.dependencycheck.AnalysisTask:90
WARN  - An error occurred while analyzing 'D:\tmp\git\tmp\owasp-ojdbc-issue\ojdbc7.jar' (Central Analyzer).
2018-08-11 15:49:02,055 org.owasp.dependencycheck.AnalysisTask:91
DEBUG - 
org.owasp.dependencycheck.analyzer.exception.AnalysisException: org.owasp.dependencycheck.xml.pom.PomParseException: Unable to parse pom 'C:\Users\User\AppData\Local\Temp\dctemp53e4902f-83d6-401c-883c-aaa181a26d9a\pom2726894874192483239.xml'
	at org.owasp.dependencycheck.xml.pom.PomUtils.readPom(PomUtils.java:82)
	at org.owasp.dependencycheck.xml.pom.PomUtils.analyzePOM(PomUtils.java:139)
	at org.owasp.dependencycheck.analyzer.CentralAnalyzer.analyzeDependency(CentralAnalyzer.java:261)
	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:136)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
	at java.util.concurrent.FutureTask.run(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
Caused by: org.owasp.dependencycheck.xml.pom.PomParseException: Unable to parse pom 'C:\Users\User\AppData\Local\Temp\dctemp53e4902f-83d6-401c-883c-aaa181a26d9a\pom2726894874192483239.xml'
	at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:69)
	at org.owasp.dependencycheck.xml.pom.PomUtils.readPom(PomUtils.java:62)
	... 9 common frames omitted
Caused by: java.io.FileNotFoundException: C:\Users\User\AppData\Local\Temp\dctemp53e4902f-83d6-401c-883c-aaa181a26d9a\pom2726894874192483239.xml (The system cannot find the file specified)
	at java.io.FileInputStream.open0(Native Method)
	at java.io.FileInputStream.open(Unknown Source)
	at java.io.FileInputStream.<init>(Unknown Source)
	at org.owasp.dependencycheck.xml.pom.PomParser.parse(PomParser.java:65)
	... 10 common frames omitted
2018-08-11 15:49:02,055 org.owasp.dependencycheck.Engine:675
INFO  - Finished Central Analyzer (388 seconds)

Full Log of scan you can find here: odc.log

[DmitriyStoyanov]

Checked the same situation in 3.2.0
And there are only warning Unable to download pom.xml for ojdbc7.jar from Central; this could result in undetected CPE/CVEs. ,without any exceptions:

DEBUG - Adding new maven identifier cn.easyproject:ojdbc7:12.1.0.2.0
2018-08-11 16:37:19,525 org.owasp.dependencycheck.analyzer.CentralAnalyzer:240
DEBUG - Downloading http://search.maven.org/remotecontent?filepath=cn/easyproject/ojdbc7/12.1.0.2.0/ojdbc7-12.1.0.2.0.pom
2018-08-11 16:37:19,525 org.owasp.dependencycheck.utils.Downloader:129
DEBUG - Attempting download of http://search.maven.org/remotecontent?filepath=cn/easyproject/ojdbc7/12.1.0.2.0/ojdbc7-12.1.0.2.0.pom
2018-08-11 16:37:19,819 org.owasp.dependencycheck.analyzer.CentralAnalyzer:246
WARN  - Unable to download pom.xml for ojdbc7.jar from Central; this could result in undetected CPE/CVEs.
2018-08-11 16:37:19,819 org.owasp.dependencycheck.Engine:675
INFO  - Finished Central Analyzer (1 seconds)
2018-08-11 16:37:19,820 org.owasp.dependencycheck.Engine:823

[DmitriyStoyanov]

Looks like it is related to this commit 10ea23c

[DmitriyStoyanov]

here: https://github.com/jeremylong/DependencyCheck/blob/master/core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java#L261

we should check something like:

                        if (success) {
                            PomUtils.analyzePOM(dependency, pomFile);
                        } else {
                            LOGGER.warn("Unable to download pom.xml for {} from Central; "
                                    + "this could result in undetected CPE/CVEs.", dependency.getFileName());
                        }

and also here:
https://github.com/jeremylong/DependencyCheck/blob/master/core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java#L263
we will not face with this exception, because it was catched before.

And i guess PomUtils.analyzePOM also can be used in try-catch scenario, to not fail whole run if some pom.xml's will be not parsed like here #1016

[Kovshar-OS]

Hello, I have same issue in my project. Dmitry, have you fix issue by yourself, or waiting to fix from Jeremy?

[DmitriyStoyanov]

@Kovshar-OS, I have reverted to use version 3.2.0 in our CI.
But on my local machine, added this part

                        if (success) {
                            PomUtils.analyzePOM(dependency, pomFile);
                        } else {
                            LOGGER.warn("Unable to download pom.xml for {} from Central; "
                                    + "this could result in undetected CPE/CVEs.", dependency.getFileName());
                        }

instead of CentralAnalyzer.java#L261
and checked that all works fine.
But this solution is not fully correct from developers side, and i guess @jeremylong will create another change in this part

[DmitriyStoyanov]

@Kovshar-OS, pull request with fixed issue, created

[jeremylong]

Thanks for the PR!

[mbologna]

Workaround: just pass --exclude "**/**ojdbc**" in the options

[gregorko]

Workaround: just pass --exclude "**/ojdbc" in the options

Unfortunately this is not possible when using the Jenkins plugin.
When will be the next release available?

[jeremylong]

I'm going to do a release next weekend (Sept 8-9th).

[jeremylong]

Life happened - I should publish the next release the weekend of the 15th.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.