I have temporary problems with the Sonatype OSS index analyser. I am very sure that it is due to our proxy in the company I have to go through. Some of the requests fail:
15:25:48 13:25:48.165 [WARN] [org.owasp.dependencycheck.AnalysisTask] An error occurred while analyzing '/tmp/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.7/dda059f4908e1b548b7ba68d81a3b05897f27cb0/httpclient-4.5.7.jar' (Sonatype OSS Index Analyzer).
15:25:48 13:25:48.166 [DEBUG] [org.owasp.dependencycheck.AnalysisTask]
15:25:48 org.owasp.dependencycheck.analyzer.exception.AnalysisException: Failed to request component-reports
15:25:48 at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:149)
15:25:48 at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
15:25:48 at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
15:25:48 at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
15:25:48 at java.util.concurrent.FutureTask.run(FutureTask.java:266)
15:25:48 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
15:25:48 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
15:25:48 at java.lang.Thread.run(Thread.java:748)
15:25:48 Caused by: java.net.SocketException: Connection reset
The next request is fine:
15:25:48 13:25:48.166 [DEBUG] [org.owasp.dependencycheck.AnalysisTask] Begin Analysis of '/tmp/caches/modules-2/files-2.1/commons-io/commons-io/2.6/815893df5f31da2ece4040fe0a12fd44b577afaf/commons-io-2.6.jar' (Sonatype OSS Index Analyzer)
But the whole build failed because of one failure request. Is it possible to create a mirror of the Sonatype OSS index or set a retry value?
I solved my problem. The solution was to put the bouncycastle jar into the JAVA JRE as descripted here: ECDHE cipher suites not supported on OpenJDK 8 installed on EC2 Linux machine
But maybe a retry mechanism for Sonatype OSS Index Analyser is still a good idea.