Error - Not alive and dispose was called

[SandwichCZ]

Describe the bug
When scanning a Maven project for vulnerabilities, new errors have started appearing after upgrading to version 8.4.3 (see attached log excerpt). The issue is reproducible 100 % of the time in our project, but did not occur on any previous versions of the plugin.

Version of dependency-check used
The problem occurs using version 8.4.3 of the Maven plugin.

Log file

...
See the dependency-check report for more details.


[INFO] Cache event queue destroyed: CacheEventQueue [listenerId=-744276867, cacheName=NODEAUDIT]
[INFO] Cache event queue destroyed: CacheEventQueue [listenerId=-744276867, cacheName=CENTRAL]
[INFO] Cache event queue destroyed: CacheEventQueue [listenerId=-744276867, cacheName=POM]
[ERROR] Region [NODEAUDIT] : Not alive and dispose was called, filename: NODEAUDIT
[ERROR] Region [CENTRAL] : Not alive and dispose was called, filename: CENTRAL
[ERROR] Region [POM] : Not alive and dispose was called, filename: POM
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
...

To Reproduce
Steps to reproduce the behavior:

1. Start dependency scanning of a Maven project.
2. Wait for it to finish.
3. See errors.

Expected behavior
No errors are displayed, preferably also no Cache event queue destroyed messages.

[nam178]

Same, I'm getting the same error using the CLI

[ERROR] Region [NODEAUDIT] : Not alive and dispose was called, filename: NODEAUDIT
[INFO] In dispose, destroying event queue.
[ERROR] Region [CENTRAL] : Not alive and dispose was called, filename: CENTRAL
[INFO] In dispose, destroying event queue.
[ERROR] Region [POM] : Not alive and dispose was called, filename: POM

[j-aho]

I cut out a part of the "debug log" and attached it
dependency-check-NODEAUDIT.log

The /opt/dependency-check/data/cache/NODEAUDIT.key is 0 bytes
-rw-r--r--. 1 user user 0 Nov 16 09:23 /opt/dependency-check/data/cache/NODEAUDIT.key

It do manage to write the the report dependency-check-report.htm before this happens.

On MS-Windows with version 8.1.2 this don't happen, on Linux with version 8.1.2/8.4.2/8.4.3 it happens for one of my projects.
This do not happen with other projects and I have no clue at all what causing this and I really wish it wouldn't throw this an error (let it exit with 0 IMHO). The projects I have looked at are using nodejs/C#

[jeremylong]

This is a completely ignorable error. It makes zero sense that this is reported by JCS as an error as opposed to a debug message. It does not affect the functioning of the cache at all.

[j-aho]

Sadly I can't ignore it as it exits with error code 14, had it exited with 0 then the build system wouldn't have stopped.

[jeremylong]

@j-aho you should see a line that says "One or more fatal errors occurred" in the output. What is directly below that line?

[jeremylong]

@j-aho I'm 99.9% positive this "error" reported stating 'Not alive and dispose was called' is not the source of the exit code 14.

[j-aho]

Okay, then I'll try to figure out what it may be.
(Seems excluding /.git/ did the trick)

[thett01]

Hi @jeremylong ,
These errors made the pipeline fail. I'm using Dependency Check AzureDevops.
My version is 9.0.0
What can I do right now?

[ERROR] Region [NODEAUDIT] : Not alive and dispose was called, filename: NODEAUDIT
[INFO] In dispose, destroying event queue.
[ERROR] Region [CENTRAL] : Not alive and dispose was called, filename: CENTRAL
[INFO] In dispose, destroying event queue.
[ERROR] Region [POM] : Not alive and dispose was called, filename: POM
[ERROR] One or more fatal errors occurred
[ERROR] Unable to connect to the database - if this error persists it may be due to a corrupt database. Consider running `purge` to delete the existing database

Dependency Check completed with exit code 13.
Dependency Check reports:
[]
Dependency Check failed with message "Dependency Check exited with an error code (exit code: 13)."
##[error]Dependency Check exited with an error code (exit code: 13)

[jeremylong]

Please don't combine issues into a single ticket like this. Yes, due to capacity issues with the NVD API 9.0.0 has issues. See #6107.

[Hacksoull]

Is there no fix as at now? because I experience the same issue on my circleCi.

[alireza1371]

I have the same issue, is there any update on this?

[j-aho]

@alireza1371 the exit code (like 14 from @Hacksoull screenshot) has nothing to do with the error message displayed in the screenshot

For Error codes you can look at: https://github.com/jeremylong/DependencyCheck/blob/main/cli/src/main/java/org/owasp/dependencycheck/App.java

Sadly it will not give much information, most likely it can be some files that causes the issue, try to exclude directories like .git from the scanning.

Here is a small example when scanning dependency-check.sh --dotnet /usr/bin/dotnet -s /usr/include/ -o /tmp ; echo "EXIT CODE: $?":

[ERROR] Region [NODEAUDIT] : Not alive and dispose was called, filename: NODEAUDIT
[INFO] In dispose, destroying event queue.
[ERROR] Region [CENTRAL] : Not alive and dispose was called, filename: CENTRAL
[INFO] In dispose, destroying event queue.
[ERROR] Region [POM] : Not alive and dispose was called, filename: POM
EXIT CODE: 0

So the error is there, but do not affect the writing of the report and exiting it as if nothing had happen. Sure it had been nice if the error could have been warning or info, think less people would be confused.