Analysis does not continue after update failure

[OrangeDog]

Describe the bug
After this is logged:

[WARNING] Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.

The intention is that analysis should continue. However, this is logged instead:

[ERROR] Unable to continue dependency-check analysis.
[ERROR] Fatal exception(s) analyzing Project

Version of dependency-check used
The problem occurs using version 9.0.10 of the maven plugin.

Log file
https://gist.github.com/OrangeDog/24ce9447e015184ccf85ac647e17749b

To Reproduce
Steps to reproduce the behavior:

1. Have a successful initial sync of the data
2. Induce NVD updates to fail (these logs were while the service was unavailable)
3. Run dependency-check:check

Expected behavior
The update fails, but then analysis continues.

Additional context
Retries disabled so it doesn't take 15 hours. However, my logs are also showing this bug: #6531 (comment)

<configuration>
  <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
  <nodeAnalyzerEnabled>false</nodeAnalyzerEnabled>
  <failOnError>false</failOnError>
  <hintsFile>${project.basedir}/hints.xml</hintsFile>
  <nvdApiServerId>nvd</nvdApiServerId>
  <nvdMaxRetryCount>0</nvdMaxRetryCount>
  <ossIndexServerId>sonatype-ossindex</ossIndexServerId>
  <outputDirectory>${project.build.directory}/owasp-reports</outputDirectory>
  <suppressionFile>${project.basedir}/suppressions.xml</suppressionFile>
</configuration>

[bmeier-pros]

It's always worked this way in my experience - if it can't update the feed or any of the linked sources (OSSINDEX, hosted suppressions, whatever), the plugin errors out, killing the build. The message sequence has been the same in the past, first the warning, then the error.

I thought this was by design. :-) This is not a regression, but it certainly could be considered a bug.

[OrangeDog]

@bmeier-pros it is not by design: #6515 (comment)

[bmeier-pros]

@OrangeDog very interesting. As far back as I can remember, at least to 6.x, this has been the way it's worked for our builds. We do have failOnError set to true, perhaps that is part of it.

[bmeier-pros]

Our current configuration looks something like this:

dependencyCheck {
  failBuildOnCVSS = 4.0
  suppressionFiles = files("**/dependency-check-suppressions.xml")
  analyzers {
    experimentalEnabled = false
    centralEnabled = false // hardcoded to access Maven Central, which is disallowed
    assemblyEnabled = false // no .NET assemblies, avoid scanner failure
    nuspecEnabled = false // no nuget specs, avoid scanner failure
    ossIndex {
      enabled = true
    }
    retirejs {
      // Cached Retire JS repository
      retireJsUrl = "${cache}/raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json"
    }
    // Cached known exploited vulnerabilities
    knownExploitedURL = "${cache}/www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
  }
  nvd {
    delay = 5000
    maxRetryCount = 10
    nvdApiKey = System.getenv("NVD_API_KEY")
  }
  hostedSuppressions {
    // Cached hosted suppressions for false positives
    url = "${cache}/jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml"
  }
  scanConfigurations = ['runtimeClasspath', 'compileClasspath', 'annotationProcessor']
}

I'm attempting to update to 9.0.10 from 9.0.9 and getting all sorts of strange behavior.

[OrangeDog]

Yes, it's always been like this for me too. Since ~v4.

[jeremylong]

In my limited spare time - I'm going to have to check the SQL statement used in

DependencyCheck/core/src/main/java/org/owasp/dependencycheck/Engine.java

Lines 641 to 643 in 0e183da

	ensureDataExists();
	} catch (NoDataException ex) {
	throwFatalExceptionCollection("Unable to continue dependency-check analysis.", ex, exceptions);