[JAVA] Dealing with IO Exception: Connection reset with OWASP dependency-check Command Line Tool

We have summarized the actions to be taken when an error (IO Exception: Connection reset) occurs when executing a tool called OWASP dependency-check.

Roughly speaking, it was an error that occurred because the JDK used in the environment could not support the encryption suite specified by the site from which the vulnerability information was acquired. The solution was to add a library called BouncyCastle that provides an API for encryption to the JDK of the environment.

Originally, I was working on the cooperation between Vuls and OWASP dependency-check. https://vuls.io/docs/ja/usage-scan-non-os-packages.html#usage-integrate-with-owasp-dependency-check-to-automatic-update-when-the-libraries-are-updated-experimental

debug trace excerpt

ERROR - IO Exception: Connection reset
2018-03-08 10:28:05,137 org.owasp.dependencycheck.utils.Downloader:280
DEBUG - Exception details
java.net.SocketException: Connection reset
  at java.net.SocketInputStream.read(SocketInputStream.java:197)
  at java.net.SocketInputStream.read(SocketInputStream.java:122)
  at sun.security.ssl.InputRecord.readFully(InputRecord.java:442)
  at sun.security.ssl.InputRecord.read(InputRecord.java:480)
  at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:944)
  at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1342)
  at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1369)
  at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1353)
  at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
  at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
  at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
  at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:268)
  at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:235)
  at org.owasp.dependencycheck.data.update.NvdCveUpdater$TimestampRetriever.call(NvdCveUpdater.java:507)
  at org.owasp.dependencycheck.data.update.NvdCveUpdater$TimestampRetriever.call(NvdCveUpdater.java:480)
  at java.util.concurrent.FutureTask.run(FutureTask.java:262)
  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1152)
  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:622)
  at java.lang.Thread.run(Thread.java:748)

There was an Issue in the same situation. https://github.com/jeremylong/DependencyCheck/issues/561

It's long, but after all https://github.com/jeremylong/DependencyCheck/issues/561#issuecomment-257045439 It was that there was not enough Bouncy Castle.

There is also a comment that it is okay because the latest OpenJDK is included. https://github.com/jeremylong/DependencyCheck/issues/561#issuecomment-267774165

Cause

https://stackoverflow.com/questions/40305004/java-tls-connection-reset-using-some-jdks

The connection reset was set because the JDK cannot support the TLS communication encryption suite used by nvd.nist.gov, which provides vulnerability information.

Coping

It's OK if the JDK can support the corresponding encryption suite.

manner https://stackoverflow.com/questions/31971499/ecdhe-cipher-suites-not-supported-on-openjdk-8-installed-on-ec2-linux-machine

Add Bouncy Castle to the JDK

Japanese procedure https://www.intra-mart.jp/document/library/sso/public/im_sso_setup_guide/texts/install/login_server_config/security_provider/index.html

Note: Where to put bcprov-jdkXX-YYY.jar and java.security on Amazon Linux

$ type java
java is /usr/bin/java
$ ls -lha /usr/bin/java
lrwxrwxrwx 1 root root 22 august 13 2017/usr/bin/java -> /etc/alternatives/java*
$ ls -lha /etc/alternatives/java
lrwxrwxrwx 1 root root 46 august 13 2017/etc/alternatives/java -> /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java*
$ cd /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/lib/ext # <-Bcprov here-jdkXX-YYY.Place the jar
$ vim /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/lib/security/java.security # <- java.location of security

Actual steps

$ cd /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/lib/ext
$ sudo wget http://www.bouncycastle.org/download/bcprov-jdk15on-159.jar
$ sudo vim /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/lib/security/java.security
  #
  # List of providers and their preference orders (see above):
  #
  security.provider.1=sun.security.provider.Sun
  security.provider.2=sun.security.rsa.SunRsaSign
  security.provider.3=sun.security.ec.SunEC
  security.provider.4=com.sun.net.ssl.internal.ssl.Provider
  security.provider.5=com.sun.crypto.provider.SunJCE
  security.provider.6=sun.security.jgss.SunProvider
  security.provider.7=com.sun.security.sasl.Provider
  security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
  security.provider.9=sun.security.smartcardio.SunPCSC
+ security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider
  # the NSS security provider was not enabled for this build; it can be enabled
  # if NSS (libnss3) is available on the machine. The nss.cfg file may need

Run again

$ ./dependency-check/bin/dependency-check.sh -f XML -o ./result.xml -s /web/current/api/current --project dev-api -l ./owasp.log
[ERROR] Exception from bundle-audit process: java.io.IOException: Cannot run program "bundle-audit" (in directory "/tmp/dctemp668de20e-5168-4592-ada8-6b73ba425d34"): error=2,There is no such file or directory. Disabling Ruby Bundle Audit Analyzer

I got an error, but the error was because I was using Ruby in the environment to be scanned, that bundle-audit could not be executed.

https://rubygems.org/gems/bundler-audit

So, by now, the title error should have been resolved.

Install bundler-audit

In addition, I will also describe the bundle-audit settings. Is it easy.

$ sudo gem install bundler-audit

Run again

Change the output destination of the result to /tmp/result.xml

$ ./dependency-check/bin/dependency-check.sh -f XML -o /tmp/result.xml -s /web/current/api/current --project dev-api -l ./owasp02.log

It ended normally.

that's all.

Recommended Posts

Dealing with IO Exception: Connection reset with OWASP dependency-check Command Line Tool
Create command line app with maven