From a1714ce77805d4e7afd504a59640d92758bcdbbb Mon Sep 17 00:00:00 2001
From: FrozenSolid <frozenSolid@users.noreply.github.com>
Date: Thu, 27 Jul 2023 16:24:11 -0600
Subject: [PATCH 1/2] OSS Index sockettimeout handling

OSS Index sockettimeout handling
---
 .../analyzer/OssIndexAnalyzer.java            | 10 ++
 .../analyzer/OssIndexAnalyzerTest.java        | 91 ++++++++++++++++++-
 2 files changed, 100 insertions(+), 1 deletion(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
index 344d6996c61..15c2b2eada1 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
@@ -54,6 +54,8 @@
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
+import java.net.SocketTimeoutException;
+
 import javax.annotation.Nullable;
 import org.apache.commons.lang3.StringUtils;
 import org.sonatype.goodies.packageurl.InvalidException;
@@ -154,6 +156,14 @@ protected void analyzeDependency(final Dependency dependency, final Engine engin
                         LOG.debug("Error requesting component reports, disabling the analyzer", ex);
                         throw new AnalysisException("Failed to request component-reports", ex);
                     }
+                } catch (SocketTimeoutException e) {
+                    final boolean warnOnly = getSettings().getBoolean(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, false);
+                    if (warnOnly) {
+                        LOG.warn("OSS Index socket timeout, disabling the analyzer", e);
+                    } else {
+                        LOG.debug("OSS Index socket timeout", e);
+                        throw new AnalysisException("Failed to establish socket to OSS Index", e);
+                    }
                 } catch (Exception e) {
                     LOG.debug("Error requesting component reports", e);
                     throw new AnalysisException("Failed to request component-reports", e);
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java
index bb07a2e3e30..641f9e5a31e 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java
@@ -11,6 +11,8 @@
 import java.util.concurrent.Executors;
 import java.util.concurrent.Future;
 
+import java.net.SocketTimeoutException;
+
 import org.junit.Assert;
 import org.junit.Test;
 import org.owasp.dependencycheck.BaseTest;
@@ -150,6 +152,68 @@ public void should_analyzeDependency_only_warn_when_transport_error_from_sonatyp
         }
     }
 
+
+    @Test
+    public void should_analyzeDependency_only_warn_when_socket_error_from_sonatype() throws Exception {
+        // Given
+        OssIndexAnalyzer analyzer = new OssIndexAnalyzerThrowingSocketTimeout();
+
+        getSettings().setBoolean(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, true);
+        analyzer.initialize(getSettings());
+
+        Identifier identifier = new PurlIdentifier("maven", "test", "test", "1.0",
+                Confidence.HIGHEST);
+
+        Dependency dependency = new Dependency();
+        dependency.addSoftwareIdentifier(identifier);
+        Settings settings = getSettings();
+        Engine engine = new Engine(settings);
+        engine.setDependencies(Collections.singletonList(dependency));
+
+        // When
+        try {
+            analyzer.analyzeDependency(dependency, engine);
+        } catch (AnalysisException e) {
+            Assert.fail("Analysis exception thrown upon remote error although only a warning should have been logged");
+        } finally {
+            analyzer.close();
+            engine.close();
+        }
+    }
+
+
+    @Test
+    public void should_analyzeDependency_fail_when_socket_error_from_sonatype() throws Exception {
+        // Given
+        OssIndexAnalyzer analyzer = new OssIndexAnalyzerThrowingSocketTimeout();
+
+        getSettings().setBoolean(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, false);
+        analyzer.initialize(getSettings());
+
+        Identifier identifier = new PurlIdentifier("maven", "test", "test", "1.0",
+                Confidence.HIGHEST);
+
+        Dependency dependency = new Dependency();
+        dependency.addSoftwareIdentifier(identifier);
+        Settings settings = getSettings();
+        Engine engine = new Engine(settings);
+        engine.setDependencies(Collections.singletonList(dependency));
+
+        // When
+        AnalysisException output = new AnalysisException();
+        try {
+            analyzer.analyzeDependency(dependency, engine);
+        } catch (AnalysisException e) {
+            output = e;
+        }
+
+        // Then
+        assertEquals("Failed to establish socket to OSS Index", output.getMessage());
+        analyzer.close();
+    }
+
+
+
     static final class OssIndexAnalyzerThrowing403 extends OssIndexAnalyzer {
         @Override
         OssindexClient newOssIndexClient() {
@@ -198,5 +262,30 @@ public ComponentReport requestComponentReport(PackageUrl coordinates) throws Exc
         public void close() throws Exception {
 
         }
-    }    
+    }
+
+    static final class OssIndexAnalyzerThrowingSocketTimeout extends OssIndexAnalyzer {
+        @Override
+        OssindexClient newOssIndexClient() {
+            return new OssIndexClientSocketTimeoutException();
+        }
+    }
+
+    private static final class OssIndexClientSocketTimeoutException implements OssindexClient {
+
+        @Override
+        public Map<PackageUrl, ComponentReport> requestComponentReports(List<PackageUrl> coordinates) throws Exception {
+            throw new SocketTimeoutException("Read timed out");
+        }
+
+        @Override
+        public ComponentReport requestComponentReport(PackageUrl coordinates) throws Exception {
+            throw new SocketTimeoutException("Read timed out");
+        }
+
+        @Override
+        public void close() throws Exception {
+
+        }
+    }
 }

From 02a3dc5248aa4cf95fd84e11a422686246e0e18c Mon Sep 17 00:00:00 2001
From: FrozenSolid <frozenSolid@users.noreply.github.com>
Date: Fri, 28 Jul 2023 10:45:52 -0600
Subject: [PATCH 2/2] this.setEnabled(false);

this.setEnabled(false);
---
 .../org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java     | 1 +
 1 file changed, 1 insertion(+)

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
index 15c2b2eada1..be16d18cc8c 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
@@ -158,6 +158,7 @@ protected void analyzeDependency(final Dependency dependency, final Engine engin
                     }
                 } catch (SocketTimeoutException e) {
                     final boolean warnOnly = getSettings().getBoolean(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, false);
+                    this.setEnabled(false);
                     if (warnOnly) {
                         LOG.warn("OSS Index socket timeout, disabling the analyzer", e);
                     } else {