Dependency check issue

[murphd40]

This lib is causing our build pipeline to fail a dependency check:

org.xml.sax.SAXParseException: Content is not allowed in prolog.

I believe the reason is that the MIT license is included in the POM file

[PascalSchumacher]

Thanks for reporting. 👍 The issue should be fixed now.

[murphd40]

Thanks! 👍 Feel free to close issue

[fmbenhassine]

Hi @murphd40

FYI, v3.7 has been released with the fixed pom.
It should not cause your build to fail anymore.

Thanks to @PascalSchumacher for the fix.

Kr
Mahmoud

[murphd40]

Hi @benas @PascalSchumacher

I have tried the dependency check with lib v3.7 and unfortunately the problem still persists:

Caused by: org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions occurred during dependency-check analysis
org.owasp.dependencycheck.xml.pom.PomParseException: org.owasp.dependencycheck.xml.pom.PomParseException: org.xml.sax.SAXParseException: Content is not allowed in prolog.

Here is a picture of the POM as I see it:

[fmbenhassine]

Strange, may be a UTF-8 BOM. I'll check and get back to you asap.
I never had a problem with this using maven. I see you're using gradle, not sure it is the cause (We were able to import random beans in a gradle project without any problem in #62).

Anyway, I should have asked you to test with the snapshot version first.
I'll do that systematically from now on.

[murphd40]

We are using dependency-check-gradle plugin

[PascalSchumacher]

I do not know the dependency-check-gradle plugin, but I doubt that it uses the pom in the jar. Please check/upload the random beans poms in the local gradle repo (usually USER_HOME/.gradle).

[murphd40]

The failures occur on our Jenkins pipeline so it is not a local issue.

The error log suggests it's a pom problem:

org.owasp.dependencycheck.xml.pom.PomParseException: org.xml.sax.SAXParseException: Content is not allowed in prolog.

The failure is only occurring for this dependency.

Is it common practise to include license / copyright in pom files? I can't see it in any of my other dependencies

[fmbenhassine]

This is what I did. The license is already mentioned in the pom.xml file. So the header has no added value. This was added automatically by my IDE in the early stage of the project.

Can you try with 3.8.0-SNAPSHOT ?

[murphd40]

Sure. Where can I find the snapshot version?

[PascalSchumacher]

Is it common practise to include license / copyright in pom files?

The Apache foundation requires that projects add the license header to every source file so all apache projects should have the header in their pom. E.g.: https://github.com/apache/commons-lang/blob/master/pom.xml, https://github.com/apache/logging-log4j2/blob/master/log4j-core/pom.xml https://github.com/apache/camel/blob/master/pom.xml ...

org.xml.sax.SAXParseException: Content is not allowed in prolog means that there are characters before the xml declaration (<?xml ...). Usually there is either some surplus char there, it's an encoding issue or the file is not really an xml file. Therefore @beans changes (deleting the license after the xml declaration) won't help. :(

[fmbenhassine]

Apache projects add the license header in xml files, but they do not add a licenses tag in which licenses are listed. This is not the case for random beans, we had both of them. I believe this is duplicate information. That's why I removed the license header from pom.xml files.

If this does not help, let's get back to the issue. I checked with an hex editor the pom.xml and there is no suspicious character before the declaration. The file -I command shows it is us-ascii encoded file. Intellij shows it is utf-8. So I'm not sure what is wrong and why there is an issue with gradle plugins but not with maven plugins.

[PascalSchumacher]

Where can I find the snapshot version?

I think you have to add the maven snapshot repository: https://oss.sonatype.org/content/repositories/snapshots/

@benas Right?

[fmbenhassine]

Yes, more details in the wiki here:

https://github.com/benas/random-beans/wiki/Getting-Started#maven-usage

[murphd40]

I think I have found the problem. It looks like the POM of one of the dependencies of random-beans-randomizers is causing the issue:

+--- io.github.benas:random-beans-randomizers:3.8.0-SNAPSHOT
|    +--- io.github.benas:random-beans:3.8.0-SNAPSHOT (*)
|    \--- com.github.javafaker:javafaker:0.13
|         +--- org.apache.commons:commons-lang3:3.5 -> 3.4
|         \--- com.github.mifmif:generex:1.0.2
|              \--- **dk.brics.automaton:automaton:1.11-8**

An error occurred while analyzing '....gradle\caches\modules-2\files-2.1\dk.brics.automaton\automaton\1.11-8\6ebfa65eb431ff4b715a23be7a750cbc4cc96d0f\automaton-1.11-8.jar' (Central Analyzer).

I had to remove the random-beans-randomizers dependency but it seems to be working now

Sorry it took so long to discover this

[fmbenhassine]

Your screenshot was about the core module, so I focused on trying to find a problem with the pom of the core module.. not the randomizers module.

Anyway, thanks for the investigation. I see the pom of this artifact and indeed there is no xml decalration:

https://search.maven.org/#artifactdetails%7Cdk.brics.automaton%7Cautomaton%7C1.11-8%7Cjar

May be open a bug on their issue tracker?

[murphd40]

Your screenshot was about the core module, so I focused on trying to find a problem with the pom of the core module.. not the randomizers module.

Yeah I didn't consider that the error might be in the randomizers module - sorry.

I opened an issue for this library but there is very little activity on the repository so I'm not confident that it will be addressed any time soon.