Current Behavior
When you enable the OSS Index (Sonatype Guide) analyzer, and you run out of credits it will delay the vulnerability analysis for 2.5 minutes due to needless retries.
When you run out of credits, Sonatype Guide will response with a 402 Payment Required. Which will be thrown as any other non-200 reponse as an UncheckedIOException.
{
"message": "Failed to retrieve component report",
"stackTrace": "org.dependencytrack.vulnanalysis.ossindex.OssIndexVulnAnalyzer.analyzePurlBatch(OssIndexVulnAnalyzer.java:216)\norg.dependencytrack.vulnanalysis.ossindex.OssIndexVulnAnalyzer.analyzePurls(OssIndexVulnAnalyzer.java:198)\norg.dependencytrack.vulnanalysis.ossindex.OssIndexVulnAnalyzer.analyze(OssIndexVulnAnalyzer.java:147)\norg.dependencytrack.vulnanalysis.InvokeVulnAnalyzerActivity.performAnalysis(InvokeVulnAnalyzerActivity.java:114)\norg.dependencytrack.vulnanalysis.InvokeVulnAnalyzerActivity.execute(InvokeVulnAnalyzerActivity.java:80)\norg.dependencytrack.vulnanalysis.InvokeVulnAnalyzerActivity.execute(InvokeVulnAnalyzerActivity.java:52)",
"cause": {
"message": "OSS Index API request failed with status 402",
"stackTrace": "org.dependencytrack.vulnanalysis.ossindex.OssIndexVulnAnalyzer.getComponentReports(OssIndexVulnAnalyzer.java:267)\norg.dependencytrack.vulnanalysis.ossindex.OssIndexVulnAnalyzer.analyzePurlBatch(OssIndexVulnAnalyzer.java:214)\norg.dependencytrack.vulnanalysis.ossindex.OssIndexVulnAnalyzer.analyzePurls(OssIndexVulnAnalyzer.java:198)\norg.dependencytrack.vulnanalysis.ossindex.OssIndexVulnAnalyzer.analyze(OssIndexVulnAnalyzer.java:147)\norg.dependencytrack.vulnanalysis.InvokeVulnAnalyzerActivity.performAnalysis(InvokeVulnAnalyzerActivity.java:114)\norg.dependencytrack.vulnanalysis.InvokeVulnAnalyzerActivity.execute(InvokeVulnAnalyzerActivity.java:80)\norg.dependencytrack.vulnanalysis.InvokeVulnAnalyzerActivity.execute(InvokeVulnAnalyzerActivity.java:52)",
"applicationFailureDetails": {}
},
"applicationFailureDetails": {}
}
Which will lead to a workflow task retry (5 attempts by default), after a delay of 30 seconds.
It is highly unlikely that the credit issue will be resolved with 2.5 minutes. So this will only delay vulnerability analysis with 2.5 minutes. Which would delay automated processes waiting for the analysis to be finished (i.e. buildserver jobs).
Steps to Reproduce
- Setup OSS Index analysis
- Run out of credits (i.e. spend the 500 free credits)
- Run a vulnerability analysis
Expected Behavior
The 402 Payment Response is quite a permanent error within the allowed retry window of a workflow. So on the first 402 response it might as well regard it as a permanent error and not retry the task.
Dependency-Track Version
5.x
Browser
N/A
Checklist
Current Behavior
When you enable the OSS Index (Sonatype Guide) analyzer, and you run out of credits it will delay the vulnerability analysis for 2.5 minutes due to needless retries.
When you run out of credits, Sonatype Guide will response with a 402 Payment Required. Which will be thrown as any other non-200 reponse as an UncheckedIOException.
{ "message": "Failed to retrieve component report", "stackTrace": "org.dependencytrack.vulnanalysis.ossindex.OssIndexVulnAnalyzer.analyzePurlBatch(OssIndexVulnAnalyzer.java:216)\norg.dependencytrack.vulnanalysis.ossindex.OssIndexVulnAnalyzer.analyzePurls(OssIndexVulnAnalyzer.java:198)\norg.dependencytrack.vulnanalysis.ossindex.OssIndexVulnAnalyzer.analyze(OssIndexVulnAnalyzer.java:147)\norg.dependencytrack.vulnanalysis.InvokeVulnAnalyzerActivity.performAnalysis(InvokeVulnAnalyzerActivity.java:114)\norg.dependencytrack.vulnanalysis.InvokeVulnAnalyzerActivity.execute(InvokeVulnAnalyzerActivity.java:80)\norg.dependencytrack.vulnanalysis.InvokeVulnAnalyzerActivity.execute(InvokeVulnAnalyzerActivity.java:52)", "cause": { "message": "OSS Index API request failed with status 402", "stackTrace": "org.dependencytrack.vulnanalysis.ossindex.OssIndexVulnAnalyzer.getComponentReports(OssIndexVulnAnalyzer.java:267)\norg.dependencytrack.vulnanalysis.ossindex.OssIndexVulnAnalyzer.analyzePurlBatch(OssIndexVulnAnalyzer.java:214)\norg.dependencytrack.vulnanalysis.ossindex.OssIndexVulnAnalyzer.analyzePurls(OssIndexVulnAnalyzer.java:198)\norg.dependencytrack.vulnanalysis.ossindex.OssIndexVulnAnalyzer.analyze(OssIndexVulnAnalyzer.java:147)\norg.dependencytrack.vulnanalysis.InvokeVulnAnalyzerActivity.performAnalysis(InvokeVulnAnalyzerActivity.java:114)\norg.dependencytrack.vulnanalysis.InvokeVulnAnalyzerActivity.execute(InvokeVulnAnalyzerActivity.java:80)\norg.dependencytrack.vulnanalysis.InvokeVulnAnalyzerActivity.execute(InvokeVulnAnalyzerActivity.java:52)", "applicationFailureDetails": {} }, "applicationFailureDetails": {} }Which will lead to a workflow task retry (5 attempts by default), after a delay of 30 seconds.
It is highly unlikely that the credit issue will be resolved with 2.5 minutes. So this will only delay vulnerability analysis with 2.5 minutes. Which would delay automated processes waiting for the analysis to be finished (i.e. buildserver jobs).
Steps to Reproduce
Expected Behavior
The 402 Payment Response is quite a permanent error within the allowed retry window of a workflow. So on the first 402 response it might as well regard it as a permanent error and not retry the task.
Dependency-Track Version
5.x
Browser
N/A
Checklist