One of the actions we take to secure our Software Development Lifecycle, is to scan for vulnerabilities in the project dependencies that we rely on. There are multiple tools out there that can help you with this. On one of our projects we are using OWASP Dependency Check.
OWASP Dependency Check is a free tool that uses the National Vulnerability Database as it source of information.
The problem…
Last week when preparing a new release, the OWASP Dependency Check task in our build pipeline suddenly started to fail. In the logs we found the following information:
Starting: Dependency Check
==============================================================================
Task : OWASP Dependency Check
Description : Dependency Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies.
Version : 6.2.3
Author : Dependency Check
Help : [More Information](https://github.com/dependency-check/azuredevops)
==============================================================================
Starting Dependency Check...
Setting report directory to D:\b\3\_work\274\TestResults\dependency-check
Creating report directory at D:\b\3\_work\274\TestResults\dependency-check
Downloading Dependency Check latest installer from GitHub..
Downloading ZIP from "https://github.com/jeremylong/DependencyCheck/releases/download/v11.1.1/dependency-check-11.1.1-release.zip"...
Dependency Check script set to D:\b\3\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\6.2.3\dependency-check\bin\dependency-check.bat
Invoking Dependency Check...
Path: D:\b\3\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\6.2.3\dependency-check\bin\dependency-check.bat
Arguments: --project "SOFA Core" --out "D:\b\3\_work\274\TestResults\dependency-check" --scan "D:\b\3\_work\274\s\SOFACore\**\*.csproj" --format HTML --format JUNIT --failOnCVSS 8 --nvdApiKey ***
C:\Windows\system32\cmd.exe /D /S /C "D:\b\3\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\6.2.3\dependency-check\bin\dependency-check.bat --version"
Dependency-Check Core version 11.1.1
Searching for left over lock files...
found no left over lock files, continuing...
C:\Windows\system32\cmd.exe /D /S /C "D:\b\3\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\6.2.3\dependency-check\bin\dependency-check.bat --project "SOFA Core" --out D:\b\3\_work\274\TestResults\dependency-check --scan D:\b\3\_work\274\s\SOFACore\**\*.csproj --format HTML --format JUNIT --failOnCVSS 8 --nvdApiKey ***"
[ERROR] Incompatible or corrupt database found. To resolve this issue please remove the existing database by running purge
[ERROR] One or more fatal errors occurred
[ERROR] Unable to connect to the dependency-check database
Dependency Check completed with exit code 13.
Dependency Check reports:
[]
Dependency Check failed with message "Dependency Check exited with an error code (exit code: 13)."
##[error]Dependency Check exited with an error code (exit code: 13).
Ending Dependency Check...
Finishing: Dependency Check
The solution
I took a look at the documentation on Github and noticed the following breaking change that was announced in version 11:
Breaking Changes in 11.0.0
- Java 11 is now required to run dependency-check 11.0.0 or higher
- H2 database upgrade
11.0.0 contains breaking changes using the local H2 database. A full download of the NVD data will occur. Note that if you are using a shared data directory the h2 database file is not compatible with older versions of dependency-check. If you run into problems you may need to run a purge:
- gradle: ./gradlew dependencyCheckPurge
- maven: mvn org.owasp:dependency-check-maven:9.0.0:purge
- cli: dependency-check.sh –purge
I logged in on the build server, browsed to the location where the tool was installed(you can find the correct path using the build logs) and executed the –purge action as suggested:
D:\b\3\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\6.2.3\dependency-check\bin>dependency-check.bat --purge
[INFO] Database file purged; local copy of the NVD has been removed
[INFO] RetireJS repo removed successfully
[INFO] Hosted suppression file removed successfully
[INFO] Cache directory purged
[INFO] OSS Cache directory purged
After doing that, a full download of the NVD databases is needed but once that was completed my release pipeline continued successfully.
More information
Understanding Supply-Chain Attacks and OWASP Dependency Check
OWASP Dependency Check - Improve update speed
Using OWASP Dependency Check in Azure DevOps for .NET applications
Using OWASP Dependency Check in Azure DevOps for Angular applications