Resolving

[mebigfatguy]

I'm using dependency check 6.5.1 in a jenkins environment and hitting the

Could not connect to Central search. Analysis failed.

error, as i see was talked about here: #1081

but seemingly fixed a long time ago.

It works periodically, but many times we get these errors, and the builds take at least a day to finish because of the network hangs.

Is there a way to tell dependency check to faill as soon as the first occurance of this is found, rather than trying every single jar?

I see that the NVD database got downloaded successfully

[](http://cegbuci.us.oracle.com:8080/blue/organizations/jenkins/MS_Authorization22.4_Build/detail/MS_Authorization22.4_Build/2/pipeline/#step-144-log-82)[2022-02-05T18:33:57.530Z] [dependency-check] Download Started for NVD CVE - 2005

[2022-02-05T18:33:58.529Z] [dependency-check] Download Complete for NVD CVE - 2005  (1050 ms)

so i assume mirroring the NVD as described won't do anything for me. Any insights?

[jeremylong]

best option would be to use the maven or gradle plugins rather then the command line. It wouldn't be hard to write a script to detect if the project is maven or gradle and call the plugin by name for maven or possibly using an init script for the gradle projects (so you don't have to modify the build files). The maven and gradle plugins do not require the use of the central analyzer.

An alternative would be to disable the central analyzer - as the documentation states this might increase false negatives and false positives...

[jeremylong]

As an example one could use the following three files in a build pipeline (note - the script should be updated to be a bit more robust, this is just a sample):

run-odc.sh

#!/usr/bin/env sh

if [ -f "./pom.xml" ]; then
  mvn org.owasp:dependency-check-maven:6.5.3:aggregate
elif [ -f "./build.gradle" ]; then
  if [ -f "./gradlew" ]; then
    ./gradlew --init-script run-odc.gradle dependencyCheckAggregate --info
  else
    gradle --init-script run-odc.gradle dependencyCheckAggregate --info
  fi
elif [ -f "./build.gradle.kts" ]; then
  if [ -f "./gradlew" ]; then
    ./gradlew --init-script run-odc.gradle.kts dependencyCheckAggregate --info
  else
    gradle --init-script run-odc.gradle.kts dependencyCheckAggregate --info
  fi
else
  ## run the cli or dockerized dependency-check
  dependency-check.sh -s . -o .
fi

run-odc.gradle

initscript {
  repositories {
    maven {
      url "https://plugins.gradle.org/m2/"
    }
  }
  dependencies {
    classpath "org.owasp:dependency-check-gradle:6.5.3"
  }
}
rootProject {
  apply plugin: org.owasp.dependencycheck.gradle.DependencyCheckPlugin
  dependencyCheck {
    format='ALL'
  }
}

run-odc.gradle.kts

initscript {
  repositories {
    maven {
      url = uri("https://plugins.gradle.org/m2/")
    }
  }
  dependencies {
    classpath("org.owasp:dependency-check-gradle:6.5.3")
  }
}
rootProject {
  apply<org.owasp.dependencycheck.gradle.DependencyCheckPlugin>()
  configure<org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension> {
    format = org.owasp.dependencycheck.reporting.ReportGenerator.Format.ALL
  }
}

[mebigfatguy]

yeah i should have mentioned at first this is ant based. Is there any doc on how the central analyser works, we do have an internal mirroring maven repo (archiva), so maybe we could point the analyser at that internal mirror rather than central, and maybe that would help things.

[jeremylong]

The CentralAnalyzer does a search by SHA1 to obtain the coordinates (group, artifact, version) and if the pom.xml exists it will download the file and extract any evidence needed to identify a CPE. There is a nexus analyzer and a central analyzer - but no one has built one for archiva.