We have summarized the actions to be taken when an error (IO Exception: Connection reset) occurs when executing a tool called OWASP dependency-check.
Roughly speaking, it was an error that occurred because the JDK used in the environment could not support the encryption suite specified by the site from which the vulnerability information was acquired. The solution was to add a library called BouncyCastle that provides an API for encryption to the JDK of the environment.
Originally, I was working on the cooperation between Vuls and OWASP dependency-check. https://vuls.io/docs/ja/usage-scan-non-os-packages.html#usage-integrate-with-owasp-dependency-check-to-automatic-update-when-the-libraries-are-updated-experimental
ERROR - IO Exception: Connection reset
2018-03-08 10:28:05,137 org.owasp.dependencycheck.utils.Downloader:280
DEBUG - Exception details
java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:197)
at java.net.SocketInputStream.read(SocketInputStream.java:122)
at sun.security.ssl.InputRecord.readFully(InputRecord.java:442)
at sun.security.ssl.InputRecord.read(InputRecord.java:480)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:944)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1342)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1369)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1353)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:268)
at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:235)
at org.owasp.dependencycheck.data.update.NvdCveUpdater$TimestampRetriever.call(NvdCveUpdater.java:507)
at org.owasp.dependencycheck.data.update.NvdCveUpdater$TimestampRetriever.call(NvdCveUpdater.java:480)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1152)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:622)
at java.lang.Thread.run(Thread.java:748)
There was an Issue in the same situation. https://github.com/jeremylong/DependencyCheck/issues/561
It's long, but after all https://github.com/jeremylong/DependencyCheck/issues/561#issuecomment-257045439 It was that there was not enough Bouncy Castle.
There is also a comment that it is okay because the latest OpenJDK is included. https://github.com/jeremylong/DependencyCheck/issues/561#issuecomment-267774165
https://stackoverflow.com/questions/40305004/java-tls-connection-reset-using-some-jdks
The connection reset was set because the JDK cannot support the TLS communication encryption suite used by nvd.nist.gov, which provides vulnerability information.
It's OK if the JDK can support the corresponding encryption suite.
manner https://stackoverflow.com/questions/31971499/ecdhe-cipher-suites-not-supported-on-openjdk-8-installed-on-ec2-linux-machine
Japanese procedure https://www.intra-mart.jp/document/library/sso/public/im_sso_setup_guide/texts/install/login_server_config/security_provider/index.html
$ type java
java is /usr/bin/java
$ ls -lha /usr/bin/java
lrwxrwxrwx 1 root root 22 august 13 2017/usr/bin/java -> /etc/alternatives/java*
$ ls -lha /etc/alternatives/java
lrwxrwxrwx 1 root root 46 august 13 2017/etc/alternatives/java -> /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java*
$ cd /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/lib/ext # <-Bcprov here-jdkXX-YYY.Place the jar
$ vim /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/lib/security/java.security # <- java.location of security
$ cd /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/lib/ext
$ sudo wget http://www.bouncycastle.org/download/bcprov-jdk15on-159.jar
$ sudo vim /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/lib/security/java.security
#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=sun.security.ec.SunEC
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCSC
+ security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider
# the NSS security provider was not enabled for this build; it can be enabled
# if NSS (libnss3) is available on the machine. The nss.cfg file may need
$ ./dependency-check/bin/dependency-check.sh -f XML -o ./result.xml -s /web/current/api/current --project dev-api -l ./owasp.log
[ERROR] Exception from bundle-audit process: java.io.IOException: Cannot run program "bundle-audit" (in directory "/tmp/dctemp668de20e-5168-4592-ada8-6b73ba425d34"): error=2,There is no such file or directory. Disabling Ruby Bundle Audit Analyzer
I got an error, but the error was because I was using Ruby in the environment to be scanned, that bundle-audit could not be executed.
https://rubygems.org/gems/bundler-audit
So, by now, the title error should have been resolved.
In addition, I will also describe the bundle-audit settings. Is it easy.
$ sudo gem install bundler-audit
Change the output destination of the result to /tmp/result.xml
$ ./dependency-check/bin/dependency-check.sh -f XML -o /tmp/result.xml -s /web/current/api/current --project dev-api -l ./owasp02.log
It ended normally.
that's all.