OSSIndex API errors out on HTTP 500 with payload requesting report for an old jgroups version
aikebah opened this issue · 5 comments
As reported by a users of OWASP dependency-check (jeremylong/DependencyCheck#5154 (comment)) the OSSIndex API errors out (internal server error) on retrieval of a component-report of jgroups 2.6.21.Final.
[DEBUG] OSS Index Analyzer submitting: [pkg:maven/org.jgroups/jgroups@2.6.21.Final]
[DEBUG] Requesting 1 component-reports
[DEBUG] Requesting 1 un-cached component-reports
[DEBUG] POST https://ossindex.sonatype.org/api/v3/component-report; payload: {"coordinates":["pkg:maven/org.jgroups/jgroups@2.6.21.Final"]} (application/vnd.ossindex.component-report-request.v1+json); accept: application/vnd.ossindex.component-report.v1+json
[DEBUG] Connecting to: https://ossindex.sonatype.org/api/v3/component-report
[DEBUG] Error requesting component reports
org.sonatype.ossindex.service.client.transport.Transport$TransportException: Unexpected response; status: 500
at org.sonatype.ossindex.service.client.transport.HttpUrlConnectionTransport.post (HttpUrlConnectionTransport.java:106)
at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.doRequestComponentReports (OssindexClientImpl.java:204)
at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.requestComponentReports (OssindexClientImpl.java:170)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.requestReports (OssIndexAnalyzer.java:217)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:134)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run (FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1136)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:635)
at java.lang.Thread.run (Thread.java:833)
This issue can be seen in the OSS Index site using: https://ossindex.sonatype.org/search?type=&q=pkg%3Amaven%2Forg.jgroups%2Fjgroups%402.6.17.GA
@aikebah interestingly https://ossindex.sonatype.org/component/pkg:maven/org.jgroups/jgroups works. So it is definitely the version number that is throwing this off. I'm not sure what versions they are listing on the page as I do not have an account and the registration fails with a 500 for me.
Actually - after logging in I was able to find the version 2.16.7.GA in the list. But if you click the link it takes you to a 500 error.
So - half a year later this issue still persists even when going via the website at
https://ossindex.sonatype.org/component/pkg:maven/org.jgroups/jgroups
and clicking on the 2.6.21.Final, it leads to a 500 error on
https://ossindex.sonatype.org/component/pkg:maven/org.jgroups/jgroups@2.6.21.Final
@sonatype-zion has this project been abandoned?