ODC container fails to connect to "central"

[elafontaine]

Describe the bug
Since the last update, our jobs have been failing to execute the "Central Analyzer" ;

[ERROR] Could not connect to Central search. Analysis failed.
java.io.IOException: Finally failed connecting to Central search. Giving up after 7 tries.
	at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts(CentralAnalyzer.java:363)
	at org.owasp.dependencycheck.analyzer.CentralAnalyzer.analyzeDependency(CentralAnalyzer.java:228)
	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
	at java.base/java.lang.Thread.run(Thread.java:1570)
Caused by: java.io.IOException: Could not connect to MavenCentral (504): Gateway Time-out
	at org.owasp.dependencycheck.data.central.CentralSearch.searchSha1(CentralSearch.java:232)
	at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts(CentralAnalyzer.java:340)
	... 8 common frames omitted

Version of dependency-check used
latest

Log file

[ERROR] Could not connect to Central search. Analysis failed.
java.io.IOException: Finally failed connecting to Central search. Giving up after 7 tries.
	at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts(CentralAnalyzer.java:363)
	at org.owasp.dependencycheck.analyzer.CentralAnalyzer.analyzeDependency(CentralAnalyzer.java:228)
	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
	at java.base/java.lang.Thread.run(Thread.java:1570)
Caused by: java.io.IOException: Could not connect to MavenCentral (504): Gateway Time-out
	at org.owasp.dependencycheck.data.central.CentralSearch.searchSha1(CentralSearch.java:232)
	at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts(CentralAnalyzer.java:340)
	... 8 common frames omitted

To Reproduce
Steps to reproduce the behavior:

1. compile your java jars under target
2. use the container to analyse the local directory (docker run -it -v $(pwd):/data sh)
3. execute this ; /usr/share/dependency-check/bin/dependency-check.sh --failOnCVSS 5 --noupdate --out "target" --scan 'target/**/*.jar' ${SUPPRESSION_FILE_PATH:+--suppression "$SUPPRESSION_FILE_PATH"}
4. Observe error

Expected behavior
No error OR errors because of vulnerabilities found in the jars.

Additional context
This is ran in a pipeline with internet access, so the error makes no sense to me... I will try to confirm the direct connectivity to the default URI ;

                .addOption(newOptionWithArg(ARGUMENT.CENTRAL_URL, "url",
                        "Alternative URL for Maven Central Search. If not set the public Sonatype Maven Central will be used."))

[cortex35]

Same error for us. Since the last time this worked, we haven't made any changes to my knowledge. The error appeared this morning

[elafontaine]

I think this may be an issue on central itself, but I wouldn't be putting my hand in the fire for that. I just did a basic GET on the URI https://search.maven.org/solrsearch/select and it took a good 15 seconds to get an actual response (400) after the TLS was established...
This may explain why my jobs are hanging over an hour.

[elafontaine]

I think I hit the bulleye; https://status.maven.org/

[aikebah]

That's right. Already spotted the status-mail flood in my mailbox.
I subscribed to their status updates at the time of an earlier longer-during instability of their infrastructure (around the year-turn 2022/2023) and traffic in the last few days was extraordinary high (as also is reflected on the status-page where you see it turn reddish for the recent days and mostly green for the distant past).

[finnlander]

I've noticed the instability of the "legacy search" has been going around for ~ 2 weeks or so (i.e. CI jobs keeps failing on timeouts)... is that maven central service something the dependency checker cannot work without? (i.e. it is the "source of truth" same as NVD API for some required information)

According to Maven Centrals FAQ the "legacy search API" is not in EoL (although the information related to future improvement plans seems to be few years old) and it seems to be the only available API to use the search functionality (or at least I couldn't find any alternatives from their documentation) -> there's probably no better working alternatives to use as the data source 🤔.

p.s. I think that OWASP dependency checker is a great tool. Thank you for all the effort. 💚