Skip to main content

OWASP Dependency Check error - Incompatible or corrupt database found.

One of the actions we take to secure our Software Development Lifecycle, is to scan for vulnerabilities in the project dependencies that we rely on. There are multiple tools out there that can help you with this. On one of our projects we are using OWASP Dependency Check.

OWASP Dependency Check is a free tool that uses the National Vulnerability Database as it source of information.

The problemā€¦

Last week when preparing a new release, the OWASP Dependency Check task in our build pipeline suddenly started to fail. In the logs we found the following information:

Starting: Dependency Check

==============================================================================

Task : OWASP Dependency Check

Description : Dependency Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies.

Version : 6.2.3

Author : Dependency Check

Help : [More Information](https://github.com/dependency-check/azuredevops)

==============================================================================

Starting Dependency Check...

Setting report directory to D:\b\3\_work\274\TestResults\dependency-check

Creating report directory at D:\b\3\_work\274\TestResults\dependency-check

Downloading Dependency Check latest installer from GitHub..

Downloading ZIP from "https://github.com/jeremylong/DependencyCheck/releases/download/v11.1.1/dependency-check-11.1.1-release.zip"...

Dependency Check script set to D:\b\3\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\6.2.3\dependency-check\bin\dependency-check.bat

Invoking Dependency Check...

Path: D:\b\3\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\6.2.3\dependency-check\bin\dependency-check.bat

Arguments: --project "SOFA Core" --out "D:\b\3\_work\274\TestResults\dependency-check" --scan "D:\b\3\_work\274\s\SOFACore\**\*.csproj" --format HTML --format JUNIT --failOnCVSS 8 --nvdApiKey ***

C:\Windows\system32\cmd.exe /D /S /C "D:\b\3\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\6.2.3\dependency-check\bin\dependency-check.bat --version"

Dependency-Check Core version 11.1.1

Searching for left over lock files...

found no left over lock files, continuing...

C:\Windows\system32\cmd.exe /D /S /C "D:\b\3\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\6.2.3\dependency-check\bin\dependency-check.bat --project "SOFA Core" --out D:\b\3\_work\274\TestResults\dependency-check --scan D:\b\3\_work\274\s\SOFACore\**\*.csproj --format HTML --format JUNIT --failOnCVSS 8 --nvdApiKey ***"

[ERROR] Incompatible or corrupt database found. To resolve this issue please remove the existing database by running purge

[ERROR] One or more fatal errors occurred

[ERROR] Unable to connect to the dependency-check database

Dependency Check completed with exit code 13.

Dependency Check reports:

[]

Dependency Check failed with message "Dependency Check exited with an error code (exit code: 13)."

##[error]Dependency Check exited with an error code (exit code: 13).

Ending Dependency Check...

Finishing: Dependency Check

The solution

I took a look at the documentation on Github and noticed the following breaking change that was announced in version 11:

Breaking Changes in 11.0.0

  • Java 11 is now required to run dependency-check 11.0.0 or higher
  • H2 database upgrade

11.0.0 contains breaking changes using the local H2 database. A full download of the NVD data will occur. Note that if you are using a shared data directory the h2 database file is not compatible with older versions of dependency-check. If you run into problems you may need to run a purge:

    • gradle: ./gradlew dependencyCheckPurge
    • maven: mvn org.owasp:dependency-check-maven:9.0.0:purge
    • cli: dependency-check.sh ā€“purge

I logged in on the build server, browsed to the location where the tool was installed(you can find the correct path using the build logs) and executed the ā€“purge action as suggested:

D:\b\3\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\6.2.3\dependency-check\bin>dependency-check.bat --purge

[INFO] Database file purged; local copy of the NVD has been removed

[INFO] RetireJS repo removed successfully

[INFO] Hosted suppression file removed successfully

[INFO] Cache directory purged

[INFO] OSS Cache directory purged

After doing that, a full download of the NVD databases is needed but once that was completed my release pipeline continued successfully.

More information

Understanding Supply-Chain Attacks and OWASP Dependency Check

OWASP Dependency Check - Improve update speed

Using OWASP Dependency Check in Azure DevOps for .NET applications

Using OWASP Dependency Check in Azure DevOps for Angular applications

NVD ā€“ Home

OWASP Dependency-Check | OWASP Foundation

Labels

Labels:

Popular posts from this blog

Kubernetesā€“Limit your environmental impact

Reducing the carbon footprint and CO2 emission of our (cloud) workloads, is a responsibility of all of us. If you are running a Kubernetes cluster, have a look at Kube-Green . kube-green is a simple Kubernetes operator that automatically shuts down (some of) your pods when you don't need them. A single pod produces about 11 Kg CO2eq per year( here the calculation). Reason enough to give it a try! Installing kube-green in your cluster The easiest way to install the operator in your cluster is through kubectl. We first need to install a cert-manager: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml Remark: Wait a minute before you continue as it can take some time before the cert-manager is up & running inside your cluster. Now we can install the kube-green operator: kubectl apply -f https://github.com/kube-green/kube-green/releases/latest/download/kube-green.yaml Now in the namespace where we want t...
Read more

Azure DevOps/ GitHub emoji

Iā€™m really bad at remembering emojiā€™s. So here is cheat sheet with all emojiā€™s that can be used in tools that support the github emoji markdown markup: All credits go to rcaviers who created this list.
Read more

.NET 9 - Goodbye sln!

Although the csproj file evolved and simplified a lot over time, the Visual Studio solution file (.sln) remained an ugly file format full of magic GUIDs. With the latest .NET 9 SDK(9.0.200), we finally got an alternative; a new XML-based solution file(.slnx) got introduced in preview. So say goodbye to this ugly sln file: And meet his better looking slnx brother instead: To use this feature we first have to enable it: Go to Tools -> Options -> Environment -> Preview Features Check the checkbox next to Use Solution File Persistence Model Now we can migrate an existing sln file to slnx using the following command: dotnet sln migrate AICalculator.sln .slnx file D:\Projects\Test\AICalculator\AICalculator.slnx generated. Or create a new Visual Studio solution using the slnx format: dotnet new sln --format slnx The template "Solution File" was created successfully. The new format is not yet recognized by VSCode but it does work in Jetbr...
Read more