Scan failing after 6 hours #178
Comments
|
Hi Lee! Thanks for the report. It would be reasonable to infer that if a web API is down, then it's down for all consumers. I'll leave the issue open for a while for visibility. But yes we should bump the core dependencies, regardless. Not good timing if my attempt would fail anyway due to the API downtime. Cheers - V |
|
Thanks for the reply @vemv! There seems to be more than one thing going on:
I tried bumping dependency-check to 10.0.0 in pomegranate and clj-yaml and observed what happened on GitHub Actions CI. So, it seems that bumping to 10.0.0 helps. That said... I am seeing quite a few lines like this in the logs: I assume that the scan download work recovers from these errors because the overall operation does not fail, but I could be wrong. (I also adjusted our CI jobs to actually properly cache the db. |
|
Ah, the example of ERROR log lines I showed above was an accident and can be ignored and is fixed in 10.0.1: |
|
@vemv update from the field: dependency-check 10.0.1 seems to be working well enough. |
|
Thanks! Let's see if I can update the core dep asap. Please nudge me if I don't. |
|
I can confirm that I had this same issue and overriding the dependency-check dep to 10.0.1 also fixes it for me. |
|
I just tried 10.0.2 with clj-yaml locally and in clj-commons/clj-yaml#129. |
|
Thanks for the notes! I'd recommend to override the dep as I can't guarantee that I'll be able to cut a release soon. Most times it's as easy as that. (there are other unrelated TODOs which is why I'm delaying a release) |
* Update deps * Disable NVD check until tool fixed See also: rm-hull/nvd-clojure#178
Workaround rm-hull/nvd-clojure#178
|
Updates from the field: I've updated to dependency-check to |
- fix clojure tools installation - add workaround for NVD clojure bug rm-hull/nvd-clojure#178 - upgrade buddy-sign
- fix clojure tools installation - add workaround for NVD clojure bug rm-hull/nvd-clojure#178 - upgrade buddy-sign
|
how do you bump the dependency check locally? But now i am getting Anyone have an example of fully working setup? |
|
You can view dependency-check-core's dependencies in: https://mvnrepository.com/artifact/org.owasp/dependency-check-core/10.0.3 You can declare them explicitly in that project.clj or exclude conflicting dependencies using (do this only for log4j stuff) This is a quite common thing to do in Clojure projects. Anyway feel free to share the result once you get it working.
(and apologies for my limited availability - I've been sprinting at work for a long while) |
|
@falcowinkler This worked for me: |
|
If we're installing nvd-clojure as a Clojure Tool, what is the right method to override the dependency-check-core and slf4j dependencies? |
|
Thanks @solita-antti-mottonen, the setup works perfectly now. |
Description
I use nvd-clojure on CI on a clj-yaml and pomegranate.
Since June 28th, these nvd scans are failing after 6h or so.
In nvd-clojure logs I see plenty of:
It seems that many folks are reporting connectivity issues at DependencyCheck. I'm not sure, but it might be that NIST data feeds are misbehaving these days.
I experimented on clj-yaml by bumping
org.owasp/dependency-check-coreto version10.0.0.And it might have helped. Then again I might have just gotten lucky.
But... It probably would not hurt to bump dependency-check to 10.0.0 in nvd-clojure.
Version
4.0.0
Java version
Was running: openjdk version "11.0.23" 2024-04-16 OpenJDK Runtime Environment Temurin-11.0.23+9 (build 11.0.23+9) OpenJDK 64-Bit Server VM Temurin-11.0.23+9 (build 11.0.23+9, mixed mode) Switch to jdk21 when I bumped DependencyCheck openjdk 21.0.3 2024-04-16 LTS OpenJDK Runtime Environment Temurin-21.0.3+9 (build 21.0.3+9-LTS) OpenJDK 64-Bit Server VM Temurin-21.0.3+9 (build 21.0.3+9-LTS, mixed mode, sharing)Installation compliance
The text was updated successfully, but these errors were encountered: