Not being able to authenticate for central.content.url and analyzer.central.url

[drijkersbq]

Describe the bug
Our CICD can't access the internet directly. Therefore we use an intermediate Artifactory which can do so. We use this Artifactory with the following properties:

• central.content.url
• analyzer.central.url

However, since version 11.0.0 our current setup became unusable, because it doenst support UserInfo in the URI anymore. Our Artifactory requires authentication, so the URI we set for the 'central.content.url' and 'analyzer.central.url' looks like this:
https://:<ENCRYPTED_PASSWORD>@<HOST_NAME>/artifactory/repo1/

This worked fine in previous versions before 11.0.0, and we dont see any other option to set authentication for these two url properties with the use of other properties.

Version of dependency-check used
11.0.0 via the owasp/dependency-check-action:latest Docker image

Log file
[INFO] Analysis Started
[INFO] Finished Archive Analyzer (4 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (1 seconds)
[ERROR] Could not connect to Central search. Analysis failed.
java.io.IOException: Finally failed connecting to Central search. Giving up after 7 tries.
at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts(CentralAnalyzer.java:362)
at org.owasp.dependencycheck.analyzer.CentralAnalyzer.analyzeDependency(CentralAnalyzer.java:228)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
at java.base/java.lang.Thread.run(Thread.java:1583)
Caused by: org.apache.hc.client5.http.ClientProtocolException: Request URI authority contains deprecated userinfo component
at org.apache.hc.client5.http.impl.classic.InternalHttpClient.doExecute(InternalHttpClient.java:177)
at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:245)
at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:188)
at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:162)
at org.owasp.dependencycheck.utils.Downloader.fetchAndHandle(Downloader.java:568)
at org.owasp.dependencycheck.data.central.CentralSearch.searchSha1(CentralSearch.java:179)
at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts(CentralAnalyzer.java:339)
... 8 common frames omitted
Caused by: org.apache.hc.core5.http.ProtocolException: Request URI authority contains deprecated userinfo component
at org.apache.hc.client5.http.impl.classic.ProtocolExec.execute(ProtocolExec.java:145)
at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
at org.apache.hc.client5.http.impl.classic.ContentCompressionExec.execute(ContentCompressionExec.java:150)
at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
at org.apache.hc.client5.http.impl.classic.HttpRequestRetryExec.execute(HttpRequestRetryExec.java:113)
at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
at org.apache.hc.client5.http.impl.classic.RedirectExec.execute(RedirectExec.java:110)
at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
at org.apache.hc.client5.http.impl.classic.InternalHttpClient.doExecute(InternalHttpClient.java:174)
... 14 common frames omitted
[WARN] An error occurred while analyzing '/builds/PST/webservices/sequencenumber-webservice/input/findsecbugs-plugin-1.13.0.jar' (Central Analyzer).

To Reproduce
Steps to reproduce the behavior:

1. Make use of the owasp/dependency-check-action:latest Docker
2. Set the scan to use custom properties file
3. Add both a custom 'central.content.url' and 'analyzer.central.url' with use of the UserInfo component in the url.
4. Run the scan

Expected behavior
The scan can connect to the Artifactory as it could before version 11.0.0

[aikebah]

As you use Artifactory it would seem more logical to use the ArtifactoryAnalyzer and disable the CentralAnalyzer.

(Nevertheless it was unexpected that the URL you used is no longer working as it worked in the past)

[drijkersbq]

@aikebah A bit of background context: When not using the Maven Central analysis we receive a lot of false positive CVE's during our scans. For example when using the argument '-disableCentral'. Enabling the Maven Central analysis makes sure these false positives are detected properly by the scan and they do not get reported.

Now thanks to this issue with the url authentication, the Maven Central analysis does not get run, and we end up with the same false positives as when the Maven Central analysis is disabled.

We have configured the Artifactory analysis as suggested, which does seem to run, because it outputs this line:
"[INFO] Finished Artifactory Analyzer (2 seconds)"

However, the same false positives remain. So this Artifactory analysis does not seem to resemble the Maven Central analysis in functionality, by correcting the false positives.

To be sure the Artifactory analysis is actually run we have also tried to run it with invalid credentials in the "analyzer.artifactory.api.username" and "analyzer.artifactory.api.token" properties, resulting in a scan that cannot successfully finish the Artifactory analysis step.

[volkert-fastned]

It also affects the Gradle plugin. I opened a broader issue with this same underlying cause. See #7131

[drijkersbq]

I have created a PR that adds additional properties to be able to authenticate for these two urls:
jeremylong/DependencyCheck#7169

[volkert-fastned]

Great work! Will this be picked up by both the Maven and Gradle plugins?

[volkert-fastned]

@drijkersbq By the way, there are three URLs:

• RetireJS (jsrepository.json)
• knownExploitedURL (known_exploited_vulnerabilities.json)
• hostedSuppressions (publishedSuppressions.xml)

[drijkersbq]

@volkert-fastned About Maven and Gradle plugins; Haven't tested as we dont use these (we just use the docker image) but I think it should work. The changes are made primarily in the Settings and Downloader class. In the Settings class I've added two sets of username/password properties to work alongside the 'central.content.url' and 'analyzer.central.url' properties. These are being picked up by the Downloader class when fetching and downloading files. As long as the maven/gradle plugins correctly can set these properties it should work.

About the three urls you mention; the only changes i've made are specifically for the issue about not being able to authenticate for 'central.content.url' and 'analyzer.central.url'. Although I did notice that for the RetireJS and hostedSuppressions which you mention there already are username/password properties available:

• analyzer.retirejs.repo.js.username
• analyzer.retirejs.repo.js.password
• hosted.suppressions.user
• hosted.suppressions.password

Edit: going by the reply of aikebah in the PR, i dont think it will work out of the gate for the maven and gradle plugins