Dependency Check 5.2.0 .NET Assembly analyser error

[vaishravin]

We are running a scan using command line utility of DCT 5.2.0 on Windows. Earlier we faced error due to dot net core not being present and post installation and giving the path in command it was working fine. Again now we are getting the same error, though dot net core is present. Please find command and result below. Please suggest what might cause this error now.

:\DCT Scan\dependency-check-5.2.0-release\bin>dependency-check.bat --project IR --scan "D:\SourceCode" --format ALL  --dotnet "C:\Program Files\dotnet\dotnet.exe" --proxyserver xxx.xxx.x.xx --proxyport 8080
[INFO] Checking for updates
[INFO] Skipping NVD check since last check was within 4 hours.
[INFO] Skipping RetireJS update since last update was within 24 hours.
[INFO] Check for updates complete (23 ms)
[INFO]

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the userÆs risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

[INFO] Analysis Started
[INFO] Finished Archive Analyzer (3 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Nuspec Analyzer (0 seconds)
[INFO] Finished Nugetconf Analyzer (0 seconds)
[INFO] Finished MSBuild Project Analyzer (0 seconds)
[ERROR] ----------------------------------------------------
[ERROR] .NET Assembly Analyzer could not be initialized and at least one 'exe' or 'dll' was scanned. The 'dotnet' executable could not be found on the path; either disable the Assembly Analyzer or configure the path dotnet core.
[ERROR] ----------------------------------------------------
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (4 seconds)
[INFO] Finished CPE Analyzer (5 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (19 seconds)

[vaishravin]

We are getting the same error with 5.2.1 as well.

[jeremylong]

Can you run dotnet --version

[vaishravin]

I get this response when I tried the command. But for some reason the error is not coming now. Thank you.
Did you mean to run dotnet SDK commands? Please install dotnet SDK from:
https://go.microsoft.com/fwlink/?LinkID=798306&clcid=0x409

[hofmanj]

I am facing the same problem with plugin version 5.2.1. I try to run mvn verify and mvn dependency-check:check and with both commands, the error that i see is "One or more exceptions occurred during analysis: An error occurred with the .NET AssemblyAnalyzer".

The stacktrace is:
Caused by: org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions occurred during analysis: An error occurred with the .NET AssemblyAnalyzer at org.owasp.dependencycheck.Engine.analyzeDependencies (Engine.java:705) at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1403) at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:802) at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288) at org.apache.maven.cli.MavenCli.main (MavenCli.java:192) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:566) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)

I am using MacOS 10.14.6, Maven version 3.6.1 and DotNet version 3.0.100-preview8-013656.

[jeremylong]

@hofmanj can you run dotnet --version and post the results? Also, have you specified the path to the dotnet executable in the configuration of dependency-check?

[hofmanj]

@jeremylong The result of dotnet --version is: 3.0.100-preview8-013656.

I have not set the path to the executable in the configuration; I assume you mean in the configuration tag of the plugin in the POM file. Dotnet is recognised as a command in the terimal if that is of any use.

I also just found out that the dependency-check-report.html is generated anyway, even though the dotnet assemblyanalyzer error occured.

[jeremylong]

If you do not have any dotnet - you can disable the dotnet analyzer. Alternatively, you can set the path to dotnet. In some cases even if dotnet is on the path in the terminal - I've seen the path not get fully passed into the JVM. As such, you may need to explicitly set the path to dotnet.

[mradckeIRT]

I had the same error (using dependency check 5.2.2). Then I installed dotnet and provided the --dotnet parameter with correct path when running dependency-check.bat.

Now I get the following error:

2019-10-24T11:13:46.5301847Z [WARN] An error occurred with the .NET AssemblyAnalyzer;
2019-10-24T11:13:46.5302210Z this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.
2019-10-24T11:13:46.5303670Z [ERROR] Exception occurred initializing Assembly Analyzer.

And this error is shown in the log file:

ERROR - An error occurred with the .NET AssemblyAnalyzer
2019-10-24 13:13:52,300 org.owasp.dependencycheck.App:206
DEBUG - unexpected error
org.owasp.dependencycheck.exception.InitializationException: An error occurred with the .NET AssemblyAnalyzer
	at org.owasp.dependencycheck.analyzer.AssemblyAnalyzer.prepareFileTypeAnalyzer(AssemblyAnalyzer.java:403)
	at org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer.prepareAnalyzer(AbstractFileTypeAnalyzer.java:83)
	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.prepare(AbstractAnalyzer.java:102)
	at org.owasp.dependencycheck.Engine.initializeAnalyzer(Engine.java:842)
	at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:678)
	at org.owasp.dependencycheck.App.runScan(App.java:251)
	at org.owasp.dependencycheck.App.run(App.java:183)
	at org.owasp.dependencycheck.App.main(App.java:80)
Caused by: org.owasp.dependencycheck.xml.assembly.GrokParseException: org.xml.sax.SAXException: Line=1, Column=1: Premature end of file.
	at org.owasp.dependencycheck.xml.assembly.GrokParser.parse(GrokParser.java:103)
	at org.owasp.dependencycheck.analyzer.AssemblyAnalyzer.prepareFileTypeAnalyzer(AssemblyAnalyzer.java:380)
	... 7 common frames omitted
Caused by: org.xml.sax.SAXException: Line=1, Column=1: Premature end of file.
	at org.owasp.dependencycheck.xml.assembly.GrokErrorHandler.fatalError(GrokErrorHandler.java:71)
	at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError(Unknown Source)
	at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(Unknown Source)
	at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(Unknown Source)
	at com.sun.org.apache.xerces.internal.impl.XMLScanner.reportFatalError(Unknown Source)
	at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$PrologDriver.next(Unknown Source)
	at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(Unknown Source)
	at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(Unknown Source)
	at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
	at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
	at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
	at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown Source)
	at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(Unknown Source)
	at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
	at org.owasp.dependencycheck.xml.assembly.GrokParser.parse(GrokParser.java:92)
	... 8 common frames omitted

[stevehipwell]

@mradckeIRT I'm seeing the same issue when used with DotNet Core 3.

[stevehipwell]

See #1464.

[jeremylong]

With the soon to be released 5.4.0 we will be switching from dotnet 2.x to dotnet 3.1.