Proxy Settings Issue After Upgrading from 10 to 12.1.0 #7485
Comments
|
The entire HTTP communication has switched to use Apache HTTPClient to allow harmonizing the proxy configuration to a single set that works for all parts. Before this Dependency-Check was using a mixture of own configuration and (within the clients for the OSSIndex API and NVD API) apache HTTPClient. All of the standard system environment variables should work that are supported by Apache HTTPClient5. See also the page on proxy configuration in github pages: https://dependency-check.github.io/DependencyCheck/data/proxy.html Legacy configuration for proxies can be done, but it's better to use the documented new settings for the proxy, as there are external libraries in use for communication to NVD API and OSSIndex API that also take advantage of the http-proxy related system variables whereas they cannot honor proxy-settings that you set via the legacy proxy configs. |
|
Thanks for your answer @aikebah . I am pretty sure that the option -DsuppressionFiles=http://xyz../publishedSuppressions.xml doesn't work with a proxy. I seriously tried all possible options, but nothing helped. NVD databases were downloaded successfully with the same options. Like I said, version 10 works well. When I have a corporate proxy set (without nonproxy), I should not be able to download suppressionFiles from internal servers. But it still works, as if the proxy settings do not affect this for -DsuppressionFiles. Maybe a change introduced in version 12.0.0 affected this behavior? Best regards! |
|
It does work with a proxy, assuming they are not excluded from being proxied by some config setting. Apache HTTP Client 5 starts off from the standard java ProxySelector when system-properties are taken into account. Given the symptom you describe (internal hosts accessed directly despite you not setting a nonProxyHosts) there appears to be a system setting already excluding the internal hosts from the proxying. |
|
I was running a Docker container with a Maven image, and variables were passed correctly using options like -e JAVA_TOOL_OPTIONS. I also tried using MAVEN_OPTS. As I mentioned, the exact same configuration (only changing the version number from 10 to 12 and using a new data directory) stops working. I really don't see any error in the configuration. I checked the system proxy visibility using the env command, and everything looks fine. The process stops at: I downloaded the publishedSuppressions.xml file locally and pointed to it manually - then it works. Can someone with a corporate proxy confirm if the proxy configuration actually works with suppressionFiles? |
|
In my case, the process stopped at this step: However, there is no error message because there is no timeout. I believe it got stuck due to a proxy issue or something else. EDIT: |
Hello
Has anything been changed with the proxy settings? I am trying to upgrade maven plugin owasp-dependency-check from version 10 to 12.1.0.
I need to set -DsuppressionFiles=http://xyz../publishedSuppressions.xml. The previous settings with MAVEN_OPTS worked, but now they don't.
It also doesn't work when I add the proxy in the mvn command.
Other plugins are working correctly. I also had it set as JAVA_TOOLS_OPTIONS, but it didn't work. . On the server, the access via proxy works correctly.
I found this issue #7072, but as I mentioned, none of the options work for me. The same works fine in version 10.
I see that there have been some recent changes related to proxy: https://github.com/dependency-check/DependencyCheck/blob/v12.1.0/CHANGELOG.md
Please verify.
The text was updated successfully, but these errors were encountered: