fix: OSS Index Analyzer SocketTimeoutException exception handling bas…

…ed on warn only parameter (#5845)
jeremylong · Jul 29, 2023 · 3147d91 · 3147d91
2 parents 6d1d84b + 02a3dc5
commit 3147d91
Show file tree

Hide file tree

Showing 2 changed files with 101 additions and 1 deletion.
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
@@ -54,6 +54,8 @@
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
+import java.net.SocketTimeoutException;
+
 import javax.annotation.Nullable;
 import org.apache.commons.lang3.StringUtils;
 import org.sonatype.goodies.packageurl.InvalidException;
@@ -154,6 +156,15 @@ protected void analyzeDependency(final Dependency dependency, final Engine engin
                         LOG.debug("Error requesting component reports, disabling the analyzer", ex);
                         throw new AnalysisException("Failed to request component-reports", ex);
                     }
+                } catch (SocketTimeoutException e) {
+                    final boolean warnOnly = getSettings().getBoolean(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, false);
+                    this.setEnabled(false);
+                    if (warnOnly) {
+                        LOG.warn("OSS Index socket timeout, disabling the analyzer", e);
+                    } else {
+                        LOG.debug("OSS Index socket timeout", e);
+                        throw new AnalysisException("Failed to establish socket to OSS Index", e);
+                    }
                 } catch (Exception e) {
                     LOG.debug("Error requesting component reports", e);
                     throw new AnalysisException("Failed to request component-reports", e);

diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java
@@ -11,6 +11,8 @@
 import java.util.concurrent.Executors;
 import java.util.concurrent.Future;
 
+import java.net.SocketTimeoutException;
+
 import org.junit.Assert;
 import org.junit.Test;
 import org.owasp.dependencycheck.BaseTest;
@@ -150,6 +152,68 @@ public void should_analyzeDependency_only_warn_when_transport_error_from_sonatyp
         }
     }
 
+
+    @Test
+    public void should_analyzeDependency_only_warn_when_socket_error_from_sonatype() throws Exception {
+        // Given
+        OssIndexAnalyzer analyzer = new OssIndexAnalyzerThrowingSocketTimeout();
+
+        getSettings().setBoolean(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, true);
+        analyzer.initialize(getSettings());
+
+        Identifier identifier = new PurlIdentifier("maven", "test", "test", "1.0",
+                Confidence.HIGHEST);
+
+        Dependency dependency = new Dependency();
+        dependency.addSoftwareIdentifier(identifier);
+        Settings settings = getSettings();
+        Engine engine = new Engine(settings);
+        engine.setDependencies(Collections.singletonList(dependency));
+
+        // When
+        try {
+            analyzer.analyzeDependency(dependency, engine);
+        } catch (AnalysisException e) {
+            Assert.fail("Analysis exception thrown upon remote error although only a warning should have been logged");
+        } finally {
+            analyzer.close();
+            engine.close();
+        }
+    }
+
+
+    @Test
+    public void should_analyzeDependency_fail_when_socket_error_from_sonatype() throws Exception {
+        // Given
+        OssIndexAnalyzer analyzer = new OssIndexAnalyzerThrowingSocketTimeout();
+
+        getSettings().setBoolean(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, false);
+        analyzer.initialize(getSettings());
+
+        Identifier identifier = new PurlIdentifier("maven", "test", "test", "1.0",
+                Confidence.HIGHEST);
+
+        Dependency dependency = new Dependency();
+        dependency.addSoftwareIdentifier(identifier);
+        Settings settings = getSettings();
+        Engine engine = new Engine(settings);
+        engine.setDependencies(Collections.singletonList(dependency));
+
+        // When
+        AnalysisException output = new AnalysisException();
+        try {
+            analyzer.analyzeDependency(dependency, engine);
+        } catch (AnalysisException e) {
+            output = e;
+        }
+
+        // Then
+        assertEquals("Failed to establish socket to OSS Index", output.getMessage());
+        analyzer.close();
+    }
+
+
+
     static final class OssIndexAnalyzerThrowing403 extends OssIndexAnalyzer {
         @Override
         OssindexClient newOssIndexClient() {
@@ -198,5 +262,30 @@ public ComponentReport requestComponentReport(PackageUrl coordinates) throws Exc
         public void close() throws Exception {
 
         }
-    }    
+    }
+
+    static final class OssIndexAnalyzerThrowingSocketTimeout extends OssIndexAnalyzer {
+        @Override
+        OssindexClient newOssIndexClient() {
+            return new OssIndexClientSocketTimeoutException();
+        }
+    }
+
+    private static final class OssIndexClientSocketTimeoutException implements OssindexClient {
+
+        @Override
+        public Map<PackageUrl, ComponentReport> requestComponentReports(List<PackageUrl> coordinates) throws Exception {
+            throw new SocketTimeoutException("Read timed out");
+        }
+
+        @Override
+        public ComponentReport requestComponentReport(PackageUrl coordinates) throws Exception {
+            throw new SocketTimeoutException("Read timed out");
+        }
+
+        @Override
+        public void close() throws Exception {
+
+        }
+    }
 }