component-report request returns 500 when '/' is URL encoded

[davetobin]

Apologies if this is the wrong place for this.

Using Dependency Check maven plugin 6.5.3, it looks like it URL encodes / as %2F. e.g. pkg:npm/%40babel%2Fplugin-transform-unicode-regex@7.18.6.

POST requests to https://ossindex.sonatype.org/api/v3/component-report are returning a 500 when %2F is included.

Dependency Check logs:

[DEBUG] Requesting 1473 component-reports
[DEBUG] Requesting 128 un-cached component-reports
[DEBUG] POST https://ossindex.sonatype.org/api/v3/component-report; payload: {"coordinates":["pkg:npm/%40babel%2Fplugin-transform-unicode-regex@7.18.6","pkg:npm/%40babel%2Fplugin-syntax-jsx@7.18.6","pkg:npm/%40babel%2Fplugin-syntax-private-property-in-object@7.14.5","pkg:npm/%40babel%2Fplugin-syntax-object-rest-spread@7.8.3","pkg:npm/%40babel%2Fplugin-proposal-optional-catch-binding@7.18.6","pkg:npm/%40babel%2Fplugin-transform-function-name@7.18.9","pkg:npm/%40babel%2Fhelper-validator-identifier@7.18.6","pkg:npm/%40babel%2Fplugin-transform-unicode-escapes@7.18.10","pkg:npm/%40babel%2Fplugin-transform-shorthand-properties@7.18.6","pkg:npm/%40babel%2Fhelper-compilation-targets@7.18.9","pkg:npm/%40babel%2Fhelpers@7.18.9","pkg:npm/%40adobe%2Fcss-tools@4.0.1","pkg:npm/%40babel%2Fhelper-string-parser@7.18.10","pkg:npm/%40babel%2Fplugin-transform-duplicate-keys@7.18.9","pkg:npm/%40babel%2Fplugin-transform-flow-strip-types@7.18.9","pkg:npm/%40babel%2Fplugin-proposal-async-generator-functions@7.18.10","pkg:npm/%40babel%2Fhelper-remap-async-to-generator@7.18.9","pkg:npm/%40babel%2Fplugin-syntax-dynamic-import@7.8.3","pkg:npm/%40babel%2Fpreset-env@7.18.10","pkg:npm/%40babel%2Fplugin-proposal-export-namespace-from@7.18.9","pkg:npm/%40babel%2Fparser@7.18.11","pkg:npm/%40carbon%2Fgrid@10.43.1","pkg:npm/%40babel%2Fplugin-proposal-logical-assignment-operators@7.18.9","pkg:npm/%40babel%2Fplugin-transform-react-jsx-development@7.18.6","pkg:npm/%40babel%2Fhelper-module-transforms@7.18.9","pkg:npm/%40babel%2Fhelper-create-regexp-features-plugin@7.18.6","pkg:npm/%40babel%2Fplugin-proposal-private-methods@7.18.6","pkg:npm/%40babel%2Fhelper-simple-access@7.18.6","pkg:npm/%40babel%2Fplugin-transform-computed-properties@7.18.9","pkg:npm/%40babel%2Fhelper-create-class-features-plugin@7.18.9","pkg:npm/%40babel%2Fplugin-proposal-json-strings@7.18.6","pkg:npm/%40babel%2Fplugin-proposal-private-property-in-object@7.18.6","pkg:npm/%40babel%2Fplugin-bugfix-safari-id-destructuring-collision-in-function-expression@7.18.6","pkg:npm/%40babel%2Fplugin-syntax-import-assertions@7.18.6","pkg:npm/%40babel%2Fplugin-transform-runtime@7.18.10","pkg:npm/%40babel%2Fplugin-transform-template-literals@7.18.9","pkg:npm/%40babel%2Ftypes@7.18.10","pkg:npm/%40babel%2Fplugin-syntax-numeric-separator@7.10.4","pkg:npm/%40babel%2Fplugin-syntax-import-meta@7.10.4","pkg:npm/%40babel%2Fplugin-transform-exponentiation-operator@7.18.6","pkg:npm/%40babel%2Fhelper-function-name@7.18.9","pkg:npm/%40babel%2Fplugin-transform-classes@7.18.9","pkg:npm/%40babel%2Fhelper-split-export-declaration@7.18.6","pkg:npm/%40babel%2Fplugin-syntax-top-level-await@7.14.5","pkg:npm/%40babel%2Fplugin-transform-property-literals@7.18.6","pkg:npm/%40babel%2Fplugin-transform-arrow-functions@7.18.6","pkg:npm/%40babel%2Fcode-frame@7.18.6","pkg:npm/%40babel%2Fruntime@7.18.9","pkg:npm/%40babel%2Fhighlight@7.18.6","pkg:npm/%40babel%2Fplugin-transform-modules-amd@7.18.6","pkg:npm/%40babel%2Fhelper-optimise-call-expression@7.18.6","pkg:npm/%40babel%2Fhelper-hoist-variables@7.18.6","pkg:npm/%40babel%2Fpreset-typescript@7.18.6","pkg:npm/%40babel%2Fplugin-proposal-class-properties@7.18.6","pkg:npm/%40babel%2Fplugin-syntax-typescript@7.18.6","pkg:npm/%40babel%2Fplugin-proposal-decorators@7.18.10","pkg:npm/%40babel%2Fplugin-syntax-json-strings@7.8.3","pkg:npm/%40babel%2Fplugin-proposal-nullish-coalescing-operator@7.18.6","pkg:npm/%40babel%2Fplugin-transform-for-of@7.18.8","pkg:npm/%40babel%2Fplugin-transform-react-constant-elements@7.18.12","pkg:npm/%40babel%2Fhelper-environment-visitor@7.18.9","pkg:npm/%40babel%2Fhelper-annotate-as-pure@7.18.6","pkg:npm/%40babel%2Fcompat-data@7.18.8","pkg:npm/%40babel%2Fhelper-wrap-function@7.18.11","pkg:npm/%40babel%2Fplugin-transform-react-display-name@7.18.6","pkg:npm/%40babel%2Fplugin-syntax-decorators@7.18.6","pkg:npm/%40babel%2Fplugin-transform-object-super@7.18.6","pkg:npm/%40babel%2Ftraverse@7.18.11","pkg:npm/%40babel%2Fhelper-builder-binary-assignment-operator-visitor@7.18.9","pkg:npm/%40babel%2Fplugin-transform-typeof-symbol@7.18.9","pkg:npm/%40babel%2Fplugin-transform-destructuring@7.18.9","pkg:npm/%40babel%2Fplugin-transform-typescript@7.18.12","pkg:npm/%40babel%2Fplugin-syntax-optional-catch-binding@7.8.3","pkg:npm/%40babel%2Fplugin-transform-dotall-regex@7.18.6","pkg:npm/%40babel%2Fplugin-syntax-async-generators@7.8.4","pkg:npm/%40babel%2Fruntime-corejs3@7.18.9","pkg:npm/%40babel%2Fplugin-proposal-unicode-property-regex@7.18.6","pkg:npm/%40babel%2Fplugin-syntax-optional-chaining@7.8.3","pkg:npm/%40babel%2Fplugin-transform-parameters@7.18.8","pkg:npm/%40babel%2Fpreset-react@7.18.6","pkg:npm/%40babel%2Fplugin-proposal-dynamic-import@7.18.6","pkg:npm/%40babel%2Fplugin-transform-reserved-words@7.18.6","pkg:npm/%40apideck%2Fbetter-ajv-errors@0.3.6","pkg:npm/%40babel%2Fhelper-module-imports@7.18.6","pkg:npm/%40babel%2Fplugin-transform-spread@7.18.9","pkg:npm/%40babel%2Fpreset-modules@0.1.5","pkg:npm/%40ampproject%2Fremapping@2.2.0","pkg:npm/%40babel%2Fplugin-syntax-flow@7.18.6","pkg:npm/%40babel%2Fplugin-transform-modules-commonjs@7.18.6","pkg:npm/%40carbon%2Ffeature-flags@0.7.0","pkg:npm/%40babel%2Fcore@7.18.10","pkg:npm/%40babel%2Fhelper-validator-option@7.18.6","pkg:npm/%40babel%2Fplugin-transform-new-target@7.18.6","pkg:npm/%40babel%2Fplugin-transform-member-expression-literals@7.18.6","pkg:npm/%40babel%2Fhelper-plugin-utils@7.18.9","pkg:npm/%40babel%2Fplugin-syntax-export-namespace-from@7.8.3","pkg:npm/%40babel%2Fplugin-bugfix-v8-spread-parameters-in-optional-chaining@7.18.9","pkg:npm/%40babel%2Fplugin-syntax-nullish-coalescing-operator@7.8.3","pkg:npm/%40babel%2Ftemplate@7.18.10","pkg:npm/%40babel%2Fplugin-transform-block-scoping@7.18.9","pkg:npm/%40babel%2Fplugin-transform-block-scoped-functions@7.18.6","pkg:npm/%40babel%2Fplugin-transform-sticky-regex@7.18.6","pkg:npm/%40babel%2Fhelper-member-expression-to-functions@7.18.9","pkg:npm/%40babel%2Fplugin-syntax-bigint@7.8.3","pkg:npm/%40babel%2Fplugin-proposal-object-rest-spread@7.18.9","pkg:npm/%40bcoe%2Fv8-coverage@0.2.3","pkg:npm/%40babel%2Fplugin-proposal-optional-chaining@7.18.9","pkg:npm/%40babel%2Fplugin-transform-regenerator@7.18.6","pkg:npm/%40babel%2Fhelper-replace-supers@7.18.9","pkg:npm/%40jridgewell%2Fgen-mapping@0.1.1","pkg:npm/%40babel%2Fplugin-transform-react-pure-annotations@7.18.6","pkg:npm/%40babel%2Feslint-parser@7.18.9","pkg:npm/%40babel%2Fplugin-syntax-class-properties@7.12.13","pkg:npm/%40babel%2Fhelper-define-polyfill-provider@0.3.2","pkg:npm/%40babel%2Fhelper-skip-transparent-expression-wrappers@7.18.9","pkg:npm/%40babel%2Fplugin-transform-named-capturing-groups-regex@7.18.6","pkg:npm/%40babel%2Fplugin-syntax-class-static-block@7.14.5","pkg:npm/%40babel%2Fplugin-syntax-logical-assignment-operators@7.10.4","pkg:npm/%40babel%2Fplugin-transform-literals@7.18.9","pkg:npm/%40babel%2Fplugin-transform-async-to-generator@7.18.6","pkg:npm/%40babel%2Fplugin-proposal-numeric-separator@7.18.6","pkg:npm/%40babel%2Fplugin-transform-modules-umd@7.18.6","pkg:npm/%40carbon%2Fcolors@10.37.1","pkg:npm/%40babel%2Fplugin-proposal-class-static-block@7.18.6","pkg:npm/%40babel%2Fplugin-transform-modules-systemjs@7.18.9","pkg:npm/%40babel%2Fhelper-explode-assignable-expression@7.18.6","pkg:npm/%40babel%2Fgenerator@7.18.12","pkg:npm/%40babel%2Fplugin-transform-react-jsx@7.18.10"]} (application/vnd.ossindex.component-report-request.v1+json); accept: application/vnd.ossindex.component-report.v1+json
[DEBUG] Connecting to: https://ossindex.sonatype.org/api/v3/component-report
[DEBUG] Error requesting component reports
org.sonatype.ossindex.service.client.transport.Transport$TransportException: Unexpected response; status: 500
    at org.sonatype.ossindex.service.client.transport.HttpUrlConnectionTransport.post (HttpUrlConnectionTransport.java:106)
    at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.doRequestComponentReports (OssindexClientImpl.java:204)
    at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.requestComponentReports (OssindexClientImpl.java:170)
    at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.requestReports (OssIndexAnalyzer.java:212)
    at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:140)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run (FutureTask.java:264)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
    at java.lang.Thread.run (Thread.java:871)

Making the same request from https://ossindex.sonatype.org/rest returns 500 also.

If %2F's are replaced with /'s then the request is successful.

To reproduce:

curl -X 'POST' \
  'https://ossindex.sonatype.org/api/v3/authorized/component-report' \
  -H 'accept: application/vnd.ossindex.component-report.v1+json' \
  -H 'authorization: Basic $TOKEN' \
  -H 'Content-Type: application/vnd.ossindex.component-report-request.v1+json' \
  -d '{
  "coordinates": [
    "pkg:npm/%40babel%2Fplugin-transform-unicode-regex@7.18.6"
  ]
}
'

returns:

{
  "code": 500,
  "message": "There was an error processing your request. It has been logged (ID 8122e3b1446462e1)."
}

curl -X 'POST' \
  'https://ossindex.sonatype.org/api/v3/authorized/component-report' \
  -H 'accept: application/vnd.ossindex.component-report.v1+json' \
  -H 'authorization: Basic $TOKEN' \
  -H 'Content-Type: application/vnd.ossindex.component-report-request.v1+json' \
  -d '{
  "coordinates": [
    "pkg:npm/%40babel/plugin-transform-unicode-regex@7.18.6"
  ]
}
'

returns:

200
[
  {
    "coordinates": "pkg:npm/%40babel/plugin-transform-unicode-regex@7.18.6",
    "description": "Compile ES2015 Unicode regex to ES5",
    "reference": "https://ossindex.sonatype.org/component/pkg:npm/%40babel/plugin-transform-unicode-regex@7.18.6?utm_source=mozilla&utm_medium=integration&utm_content=5.0",
    "vulnerabilities": []
  }
]

[jeremylong]

Do you have a sample npm project that causes this error that you can share?

[davetobin]

@jeremylong I don't, unfortunately, but it looks like the issue has been resolved now. Thanks!

Dependency check and api calls that were failing yesterday are working now as expected, returning 200.

curl -X 'POST' \
  'https://ossindex.sonatype.org/api/v3/authorized/component-report' \
  -H 'accept: application/vnd.ossindex.component-report.v1+json' \
  -H 'authorization: Basic $TOKEN' \
  -H 'Content-Type: application/vnd.ossindex.component-report-request.v1+json' \
  -d '{
  "coordinates": [
    "pkg:npm/%40babel%2Fplugin-transform-unicode-regex@7.18.6"
  ]
}
'

now returns

200
[
  {
    "coordinates": "pkg:npm/%40babel%2Fplugin-transform-unicode-regex@7.18.6",
    "reference": "https://ossindex.sonatype.org/component/pkg:npm/%40babel%2Fplugin-transform-unicode-regex@7.18.6?utm_source=mozilla&utm_medium=integration&utm_content=5.0",
    "vulnerabilities": []
  }
]