Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ClassNotFoundException: IndexedDiskElementDescriptor #6021

Open
viktorgunnarson opened this issue Oct 27, 2023 · 1 comment
Open

ClassNotFoundException: IndexedDiskElementDescriptor #6021

viktorgunnarson opened this issue Oct 27, 2023 · 1 comment
Labels
bug

Comments

@viktorgunnarson
Copy link

Describe the bug
Running mvn dependency-check:aggregate produced the following stacktrace although the check seems to have completed successfully:

[INFO] --- dependency-check:8.4.2:aggregate (default-cli) @ XXXX ---
[ERROR] {0}: Problem loading keys for file {1}
java.lang.ClassNotFoundException: org.apache.commons.jcs.auxiliary.disk.indexed.IndexedDiskElementDescriptor
    at org.codehaus.plexus.classworlds.strategy.SelfFirstStrategy.loadClass (SelfFirstStrategy.java:50)
    at org.codehaus.plexus.classworlds.realm.ClassRealm.unsynchronizedLoadClass (ClassRealm.java:271)
    at org.codehaus.plexus.classworlds.realm.ClassRealm.loadClass (ClassRealm.java:247)
    at org.codehaus.plexus.classworlds.realm.ClassRealm.loadClass (ClassRealm.java:239)
    at java.lang.Class.forName0 (Native Method)
    at java.lang.Class.forName (Class.java:467)
    at org.apache.commons.jcs3.io.ObjectInputStreamClassLoaderAware.resolveClass (ObjectInputStreamClassLoaderAware.java:37)
    at java.io.ObjectInputStream.readNonProxyDesc (ObjectInputStream.java:2034)
    at java.io.ObjectInputStream.readClassDesc (ObjectInputStream.java:1898)
    at java.io.ObjectInputStream.readOrdinaryObject (ObjectInputStream.java:2224)
    at java.io.ObjectInputStream.readObject0 (ObjectInputStream.java:1733)
    at java.io.ObjectInputStream.readObject (ObjectInputStream.java:509)
    at java.io.ObjectInputStream.readObject (ObjectInputStream.java:467)
    at java.util.HashMap.readObject (HashMap.java:1552)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:77)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:568)
    at java.io.ObjectStreamClass.invokeReadObject (ObjectStreamClass.java:1100)
    at java.io.ObjectInputStream.readSerialData (ObjectInputStream.java:2423)
    at java.io.ObjectInputStream.readOrdinaryObject (ObjectInputStream.java:2257)
    at java.io.ObjectInputStream.readObject0 (ObjectInputStream.java:1733)
    at java.io.ObjectInputStream.readObject (ObjectInputStream.java:509)
    at java.io.ObjectInputStream.readObject (ObjectInputStream.java:467)
    at org.apache.commons.jcs3.utils.serialization.StandardSerializer.deSerialize (StandardSerializer.java:77)
    at org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDisk.readObject (IndexedDisk.java:118)
    at org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCache.loadKeys (IndexedDiskCache.java:315)
    at org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCache.initializeStoreFromPersistedData (IndexedDiskCache.java:274)
    at org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCache.initializeKeysAndData (IndexedDiskCache.java:239)
    at org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCache.<init> (IndexedDiskCache.java:183)
    at org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCacheFactory.createCache (IndexedDiskCacheFactory.java:57)
    at org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCacheFactory.createCache (IndexedDiskCacheFactory.java:33)
    at org.apache.commons.jcs3.engine.control.CompositeCacheConfigurator.parseAuxiliary (CompositeCacheConfigurator.java:456)
    at org.apache.commons.jcs3.engine.control.CompositeCacheConfigurator.parseRegion (CompositeCacheConfigurator.java:240)
    at org.apache.commons.jcs3.engine.control.CompositeCacheConfigurator.parseRegion (CompositeCacheConfigurator.java:157)
    at org.apache.commons.jcs3.engine.control.CompositeCacheConfigurator.parseRegions (CompositeCacheConfigurator.java:135)
    at org.apache.commons.jcs3.engine.control.CompositeCacheManager.doConfigure (CompositeCacheManager.java:455)
    at org.apache.commons.jcs3.engine.control.CompositeCacheManager.configure (CompositeCacheManager.java:406)
    at org.apache.commons.jcs3.engine.control.CompositeCacheManager.configure (CompositeCacheManager.java:365)
    at org.apache.commons.jcs3.engine.control.CompositeCacheManager.configure (CompositeCacheManager.java:347)
    at org.apache.commons.jcs3.JCS.getCacheManager (JCS.java:117)
    at org.apache.commons.jcs3.JCS.getInstance (JCS.java:159)
    at org.owasp.dependencycheck.data.cache.DataCacheFactory.getPomCache (DataCacheFactory.java:155)
    at org.owasp.dependencycheck.analyzer.CentralAnalyzer.initialize (CentralAnalyzer.java:124)
    at org.owasp.dependencycheck.Engine.lambda$loadAnalyzers$1 (Engine.java:237)
    at java.util.ArrayList.forEach (ArrayList.java:1511)
    at org.owasp.dependencycheck.Engine.loadAnalyzers (Engine.java:236)
    at org.owasp.dependencycheck.Engine.initializeEngine (Engine.java:203)
    at org.owasp.dependencycheck.Engine.<init> (Engine.java:192)
    at org.owasp.dependencycheck.Engine.<init> (Engine.java:167)
    at org.owasp.dependencycheck.Engine.<init> (Engine.java:157)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.initializeEngine (BaseDependencyCheckMojo.java:2125)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1920)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:1112)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:126)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:328)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:316)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:212)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:174)
    at org.apache.maven.lifecycle.internal.MojoExecutor.access$000 (MojoExecutor.java:75)
    at org.apache.maven.lifecycle.internal.MojoExecutor$1.run (MojoExecutor.java:162)
    at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute (DefaultMojosExecutionStrategy.java:39)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:159)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:105)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:73)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:53)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:118)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:261)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:173)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:101)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:906)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:283)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:206)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:77)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:568)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:283)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:226)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:407)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:348)
[INFO] Checking for updates
[INFO] Download Started for NVD CVE - Modified
[INFO] Download Complete for NVD CVE - Modified  (771 ms)
[INFO] Processing Started for NVD CVE - Modified
[INFO] Processing Complete for NVD CVE - Modified  (6182 ms)
[INFO] Begin database maintenance
[INFO] Updated the CPE ecosystem on 130322 NVD records
[INFO] Removed the CPE ecosystem on 1 NVD records
[INFO] Cleaned up 3 orphaned NVD records
[INFO] End database maintenance (13623 ms)
[INFO] Updating CISA Known Exploited Vulnerability list: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
[INFO] Begin database defrag
[INFO] End database defrag (4875 ms)
[INFO] Check for updates complete (30440 ms)
[INFO] 

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.


   About ODC: https://jeremylong.github.io/DependencyCheck/general/internals.html
   False Positives: https://jeremylong.github.io/DependencyCheck/general/suppression.html

💖 Sponsor: https://github.com/sponsors/jeremylong


[INFO] Analysis Started
[INFO] Finished Archive Analyzer (1 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (1 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Created CPE Index (2 seconds)
[INFO] Finished CPE Analyzer (5 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished RetireJS Analyzer (1 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (5 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Known Exploited Vulnerability Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Suppression Rule had zero matches: SuppressionRule{cve={CVE-2022-45688,}}
[INFO] Suppression Rule had zero matches: SuppressionRule{until=2023-11-01T00:00:00+01:00,cve={CVE-2023-43642,}}
[INFO] Suppression Rule had zero matches: SuppressionRule{cve={CVE-2023-42794,}}
[INFO] Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:maven/org\.json/json@20231013$, regex=true, caseSensitive=false},cve={CVE-2023-5072,}}
[INFO] Finished Unused Suppression Rule Analyzer (0 seconds)
[INFO] Analysis Complete (16 seconds)
[INFO] Writing report to: target/cve-report/dependency-check-report.xml
[INFO] Writing report to: target/cve-report/dependency-check-report.html
[INFO] Writing report to: target/cve-report/dependency-check-report.json
[INFO] Writing report to: target/cve-report/dependency-check-report.csv
[INFO] Writing report to: target/cve-report/dependency-check-report.sarif
[INFO] Writing report to: target/cve-report/dependency-check-jenkins.html
[INFO] Writing report to: target/cve-report/dependency-check-junit.xml
[INFO] Cache event queue destroyed: {0}
[INFO] Cache event queue destroyed: {0}
[INFO] Cache event queue destroyed: {0}
[ERROR] {0}: Not alive and dispose was called, filename: {1}
[ERROR] {0}: Not alive and dispose was called, filename: {1}
[ERROR] {0}: Not alive and dispose was called, filename: {1}
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  01:04 min
[INFO] Finished at: 2023-10-27T08:08:56+02:00
[INFO] ------------------------------------------------------------------------

Version of dependency-check used
The problem occurs using version 8.4.2 of the maven plugin.
@aikebah
Copy link
Collaborator

aikebah commented Oct 28, 2023
edited
Loading

Spotted the same on my system as well... on the first update after upgrading to8.4.2.
It's related to the upgrade to JCSv3, but I did not spot it in subsequent runs (but have by now already fully purged my dependency-check data, as I wanted to check a case of too verbose logging, so can no longer validate locally).
Can you verify my assumption that this exception happens on first-run with a pre 8.4.2 datafolder, but is gone afterwards as by then the ODC data caches are properly readable the next time you run ODC?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aikebah @viktorgunnarson