[Owasp_dependency_track_project] Dependency Track 1.0.1-SNAPSHOT not determining vulnerabilities

Seji Thomas vgthomas.seji at gmail.com
Thu Jul 13 15:37:36 UTC 2017


I tried deploying both v1.0.0 GA Release available for download in the
website, and the build v1.0.1-SNAPSHOT (created locally using maven). The
Application deploys successfully, creates the H2 based CVE DB, and
downloads the NIST NVDCVE XML files.

After the Application starts, I am able to login, create Applications and
Components, and add dependency. Once adding the dependency, my expectation
was that the analysis will start and complete to show the CVEs against that
newly added component. However it did not happen and in the App Server
console I was able to see the following warning logged.

INFO [SimpleAsyncTaskExecutor-6]
org.owasp.dependencycheck.Engine.analyzeDependencies Analysis Starting

SEVERE [SimpleAsyncTaskExecutor-6]
org.owasp.dependencycheck.Engine.initializeAnalyzer Exception occurred
initializing CPE Analyzer.

WARNING [SimpleAsyncTaskExecutor-6]
org.owasp.dependencycheck.Engine.analyzeDependencies An unexpected error
occurred during analysis of 'NUL'

INFO [SimpleAsyncTaskExecutor-6]
org.owasp.dependencycheck.Engine.analyzeDependencies Analysis Complete

There is no further information available for troubleshooting the issue. I
thought it was something to do with creating a component where the vendor,
name, version and so on did not match the data in the NIST NVDCVE XML
files. Creating components with perfect match and adding dependency still
resulted in the same warning log without CVEs detected.

Are any steps in deployment or configuration missed? Any pointers to the
root cause of the problem is highly appreciated.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_dependency_track_project/attachments/20170713/8dee15a5/attachment.html>

More information about the Owasp_dependency_track_project mailing list