DependencyCheck >10 Causes bootBuildImage Task to Fail with Buildpack

[tomaaron]

Describe the bug
When using DependencyCheck version >10 with Buildpack, the bootBuildImage task fails due to a misleading Docker connection error. The error indicates that it is unable to connect to the Docker daemon, causing the build to terminate unexpectedly.

Version of dependency-check used
The problem occurs using version >10 of the gradle plugin for DependencyCheck.

Log file
The log output of a build shows an error message:

Execution failed for task ':bootBuildImage'.
> Connection to the Docker daemon at '/var/run/docker.sock' failed with error "Connect to docker://localhost:2376 [localhost/127.0.0.1] failed: Connection refused"; ensure the Docker daemon is running and accessible

To Reproduce
Steps to reproduce the behavior:

1. Set up a Java project using Buildpack and DependencyCheck >10.
2. Configure the bootBuildImage task in the build script.
3. Observe the error during the bootBuildImage task execution.

Expected behavior
The bootBuildImage task should complete successfully.

[chadlwilson]

Do you have a simple project that reproduces this with the appropriate (Gradle?) configuration? I believe there are lots of ways one could configure/use buildpack (Spring Boot? other ways?) so probably need to be specific about the mechanism here.

[pertyjons]

I generated a new default project from https://start.spring.io/ and added :

id("org.owasp.dependencycheck") version "11.1.0"

Then run:
./gradlew bootBuildImage

The following error:

> Task :bootBuildImage FAILED
Building image 'docker.io/library/demo:0.0.1-SNAPSHOT'

 > Pulling builder image 'docker.io/paketobuildpacks/builder-jammy-base:latest' ..................................................

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':bootBuildImage'.
> Connection to the Docker daemon at '/var/run/docker.sock' failed with error "Connect to docker://localhost:2376 [localhost/127.0.0.1] failed: Förbindelsen förvägrad"; ensure the Docker daemon is running and accessible

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.
> Get more help at https://help.gradle.org.

BUILD FAILED in 1s
5 actionable tasks: 1 executed, 4 up-to-date

Running Fedora 41, Docker version 27.3.1, spring-boot 3.3.5

For convinience, spring-boot-project with added plugin

demo-owasp.zip

[chadlwilson]

Thx.

The root cause of the clash here is that spring boot buildpacks doesn't work properly with Apache HttpClient 5.4 which ODC brings in. The workaround is to add something like

Gradle kotlin:

buildscript {
  dependencies {
    constraints {
      classpath("org.apache.httpcomponents.client5:httpclient5") {
        version {
          strictly("5.3.1") // Spring Boot Buildpacks at 3.3.5 isn't compatible with httpclient 5.4+ which ODC uses, until https://github.com/spring-projects/spring-boot/issues/42675 is available (via Spring Boot `3.4.0`+).
        }
      }
    }
  }
}

I'm not sure if this will work properly with ODC though on older HttpClient, will need someone to experiment.

This is already fixed in Spring Boot 3.4.0-RC1 via spring-projects/spring-boot#42675 so you'll probably need to wait for a Spring Boot release, or request a backport of the HttpClient 5.4 compatibility code to 3.3.x at https://github.com/spring-projects/spring-boot

[chadlwilson]

Might also be caused by spring-projects/spring-boot#42952 which seems it will be fixed in 3.4.0.

[pertyjons]

Thank you very mutch, there is a lot going on in the paketo buildpacks, now when we know the cause we can manage.

[jeremylong]

Fun thing with spring-boot and ODC - boot has a test configuration that ends up causing ODC to have a blank report. See dependency-check/dependency-check-gradle#410 (comment)

We likely need to document this somewhere...