-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication failure after upgrade to 11.0.0 with Maven #7108
Comments
HttpClient is handed over the credentials for the hostedSuppressionUrl. Can you check whether your server responds with the authentication challenge? |
Thank you for the clarification.
See the following curl request as example of the scenario rejected by SAXParser:
|
Check the accompanying HTTP code, because given your stacktrace it looks more like that page gets served with an HTTP responsecode of the 2xx or 3xx range |
Correct these are the response details:
When sending a request to Microsoft Azure DevOps without providing authentication credentials, it redirects to the login page using status code 302 while at the same time requesting authentication. If you however do provide invalid credentials, the response is 401 in combination with an authentication challenge:
Does this simply mean that this plugin no longer supports authentication to Microsoft Azure DevOps services? |
I'm facing the same problems. Reverted the plugin to 10.0.4 and the DOCTYPE errors are gone. Trying to download the suppression file from a Azure Devops url. Any workaround available? |
bump! anybody willing to answer my question above? or @martijndebruijn 's question? |
@aikebah any clue on this one? |
Need to finish up my local pending changes to make apache httpclient use pre-emptive auth, but basically the root cause appears to be the server misbehaving in the context of HTTP protocol (not giving an http 401, but redirecting with 302 to webbased authentication page so that httpclient's credentials lookup never kicks in) Hope to finish that up later this week and put up a branch that hopefully someone can build a private snapshot from to validate my assumption that pre-emptive auth will solve the issue. |
Thanks - I wanted to make sure someone had this, even if it is going to take a bit of time to solve. |
@mdvalk-quintor Would you be able to test a privately built snapshot from the |
@aikebah
<suppressionFiles>
<suppressionFile>http://xxxxxxxxx:8080/basic302/suppressions.xml</suppressionFile>
</suppressionFiles>
<suppressionFileUser>my-username</suppressionFileUser>
<suppressionFilePassword>my-secret-password</suppressionFilePassword> 5. dependency-chek failed: Suppression server logs:
➫ it seems the client reacts to the challenge but still without the credentials same project, with a server that returns 401 for the challenge, works:
if you want I can propose a PR to fix this, let me know |
@ftiercelin HostedSuppression credentials are currently only supported via the properties file, so it's logical that your attempt failed. The suppressionFileUser/Password are used for configuring the user suppression files (during suppression analyzer run) download's authentication. |
@aikebah sorry but I'm confused by your comment #7108 (comment). |
Describe the bug
Since version 11.0.0 Apache Httpclient is used for web requests instead of plain java.
Configuration properties
suppressionFileUser
andsuppressionFilePassword
are no longer respected. (and the alternative configuration usingsuppressionFileServerId
is neither respected).By intercepting the http request the owasp dependency-check maven plugin tries to make, we can verify that it skips authentication, even when authentication is provided by the user!
Version of dependency-check used
The problem occurs using version 11.0.0 of the maven plugin
Log file
To Reproduce
Steps to reproduce the behavior:
nc -l 8087
Authorization
request header is missing!!Expected behavior
For step 4 in the reproduction steps above, we expect to see the Authorization header present on the request... e.g.:
Other comments
Authorization
header is present in the requests!The text was updated successfully, but these errors were encountered: