Skip to content

Retries on "permanent" vulnerability analysis errors delay analysis for a long time #6641

Description

@elmuerte

Current Behavior

When you enable the OSS Index (Sonatype Guide) analyzer, and you run out of credits it will delay the vulnerability analysis for 2.5 minutes due to needless retries.

When you run out of credits, Sonatype Guide will response with a 402 Payment Required. Which will be thrown as any other non-200 reponse as an UncheckedIOException.

{
  "message": "Failed to retrieve component report",
  "stackTrace": "org.dependencytrack.vulnanalysis.ossindex.OssIndexVulnAnalyzer.analyzePurlBatch(OssIndexVulnAnalyzer.java:216)\norg.dependencytrack.vulnanalysis.ossindex.OssIndexVulnAnalyzer.analyzePurls(OssIndexVulnAnalyzer.java:198)\norg.dependencytrack.vulnanalysis.ossindex.OssIndexVulnAnalyzer.analyze(OssIndexVulnAnalyzer.java:147)\norg.dependencytrack.vulnanalysis.InvokeVulnAnalyzerActivity.performAnalysis(InvokeVulnAnalyzerActivity.java:114)\norg.dependencytrack.vulnanalysis.InvokeVulnAnalyzerActivity.execute(InvokeVulnAnalyzerActivity.java:80)\norg.dependencytrack.vulnanalysis.InvokeVulnAnalyzerActivity.execute(InvokeVulnAnalyzerActivity.java:52)",
  "cause": {
    "message": "OSS Index API request failed with status 402",
    "stackTrace": "org.dependencytrack.vulnanalysis.ossindex.OssIndexVulnAnalyzer.getComponentReports(OssIndexVulnAnalyzer.java:267)\norg.dependencytrack.vulnanalysis.ossindex.OssIndexVulnAnalyzer.analyzePurlBatch(OssIndexVulnAnalyzer.java:214)\norg.dependencytrack.vulnanalysis.ossindex.OssIndexVulnAnalyzer.analyzePurls(OssIndexVulnAnalyzer.java:198)\norg.dependencytrack.vulnanalysis.ossindex.OssIndexVulnAnalyzer.analyze(OssIndexVulnAnalyzer.java:147)\norg.dependencytrack.vulnanalysis.InvokeVulnAnalyzerActivity.performAnalysis(InvokeVulnAnalyzerActivity.java:114)\norg.dependencytrack.vulnanalysis.InvokeVulnAnalyzerActivity.execute(InvokeVulnAnalyzerActivity.java:80)\norg.dependencytrack.vulnanalysis.InvokeVulnAnalyzerActivity.execute(InvokeVulnAnalyzerActivity.java:52)",
    "applicationFailureDetails": {}
  },
  "applicationFailureDetails": {}
}

Which will lead to a workflow task retry (5 attempts by default), after a delay of 30 seconds.

It is highly unlikely that the credit issue will be resolved with 2.5 minutes. So this will only delay vulnerability analysis with 2.5 minutes. Which would delay automated processes waiting for the analysis to be finished (i.e. buildserver jobs).

Steps to Reproduce

  1. Setup OSS Index analysis
  2. Run out of credits (i.e. spend the 500 free credits)
  3. Run a vulnerability analysis

Expected Behavior

The 402 Payment Response is quite a permanent error within the allowed retry window of a workflow. So on the first 402 response it might as well regard it as a permanent error and not retry the task.

Dependency-Track Version

5.x

Browser

N/A

Checklist

Metadata

Metadata

Assignees

No one assigned

    Labels

    defectSomething isn't workingp2Non-critical bugs, and features that help organizations to identify and reduce risksize/SSmall effort

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions