如何解决 owasp 依赖项检查中的代理问题?
Posted
技术标签:
【中文标题】如何解决 owasp 依赖项检查中的代理问题?【英文标题】:How to resolve proxy issue in owasp dependency check? 【发布时间】:2020-09-30 23:35:54 【问题描述】:我运行下面的命令在代理服务器下运行依赖检查。
./dependency-check.sh \
--scan test/sample.jar \
--project test_owasp \
--out test/output \
它给了我以下输出:
[DependencyCheck] [ERROR] Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.meta
[DependencyCheck] org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.meta
[DependencyCheck] at org.owasp.dependencycheck.data.update.NvdCveUpdater.getMetaFile(NvdCveUpdater.java:347)
[DependencyCheck] at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded(NvdCveUpdater.java:385)
[DependencyCheck] at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:122)
[DependencyCheck] at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:936)
[DependencyCheck] at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:737)
[DependencyCheck] at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:667)
[DependencyCheck] at org.owasp.dependencycheck.App.runScan(App.java:254)
[DependencyCheck] at org.owasp.dependencycheck.App.run(App.java:186)
[DependencyCheck] at org.owasp.dependencycheck.App.main(App.java:81)
[DependencyCheck] Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Download failed, unable to retrieve 'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.meta'
[DependencyCheck] at org.owasp.dependencycheck.utils.Downloader.fetchContent(Downloader.java:131)
[DependencyCheck] at org.owasp.dependencycheck.data.update.NvdCveUpdater.getMetaFile(NvdCveUpdater.java:340)
[DependencyCheck] ... 8 common frames omitted
[DependencyCheck] Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Error downloading file https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.meta; unable to connect.
[DependencyCheck] at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:238)
[DependencyCheck] at org.owasp.dependencycheck.utils.HttpResourceConnection.fetch(HttpResourceConnection.java:138)
[DependencyCheck] at org.owasp.dependencycheck.utils.Downloader.fetchContent(Downloader.java:126)
[DependencyCheck] ... 9 common frames omitted
[DependencyCheck] Caused by: java.net.SocketTimeoutException: connect timed out
[DependencyCheck] at java.net.PlainSocketImpl.socketConnect(Native Method)
[DependencyCheck] at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
[DependencyCheck] at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
[DependencyCheck] at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
[DependencyCheck] at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
[DependencyCheck] at java.net.Socket.connect(Socket.java:607)
[DependencyCheck] at sun.net.NetworkClient.doConnect(NetworkClient.java:175)
[DependencyCheck] at sun.net.www.http.HttpClient.openServer(HttpClient.java:463)
[DependencyCheck] at sun.net.www.http.HttpClient.openServer(HttpClient.java:558)
[DependencyCheck] at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
[DependencyCheck] at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
[DependencyCheck] at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
[DependencyCheck] at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1162)
[DependencyCheck] at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1056)
[DependencyCheck] at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
[DependencyCheck] at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:167)
[DependencyCheck] at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:178)
[DependencyCheck] ... 11 common frames omitted
[DependencyCheck] [INFO] Skipping RetireJS update since last update was within 24 hours.
[DependencyCheck] [WARN] Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
[DependencyCheck] [ERROR] Unable to continue dependency-check analysis.
[DependencyCheck] [ERROR] One or more fatal errors occurred
[DependencyCheck] [ERROR] Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.meta
[DependencyCheck] [ERROR] No documents exist
它无法通过代理下载元数据,尽管我使用命令传递了以下参数。
--proxyserver sample.proxy.com \
--proxyport 1234
谁能帮我解决这个问题,拜托!!
【问题讨论】:
【参考方案1】:通过创建一个 Maven 项目并在 pom.xml 中添加 owasp 依赖项检查 依赖项代码,我能够在顺利下载资源(nvd-cve)的同时运行 owasp 依赖项检查。在运行之前添加要扫描的 jar,在 src/main/resources 位置。
pom.xml:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>owasp</groupId>
<artifactId>dependency-check</artifactId>
<version>99.0.0.0.0</version>
<name>OWASP_Dependency_Check</name>
<dependencies>
<dependency>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>5.0.0</version>
<scope>test</scope>
</dependency>
</dependencies>
</project>
运行以下命令:
mvn clean install org.owasp:dependency-check-maven:check -DscanSet.fileSet=['src/main/resources/']
关于代理 - 我必须在两个 settings.xml 中更新代理。 1) .m2/settings.xml 2) apache-maven-3.6.3/conf/settings.xml
【讨论】:
以上是关于如何解决 owasp 依赖项检查中的代理问题?的主要内容,如果未能解决你的问题,请参考以下文章
安装依赖项时如何解决“'websocket-driver'的完整性检查失败”错误?