search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.63k stars 558 forks source link

sBOM upload : "An unknown error occurred in an asynchronous event or notification thread" #2793

Open erwandf opened 1 year ago

erwandf commented 1 year ago

Current Behavior

either I'm uploading a sBOM via the web UI or the jenkins plugin, I can't get the analysis done.

sbom-front.txt

2023-05-30 20:02:27,347 ERROR [LoggableUncaughtExceptionHandler] An unknown error occurred in an asynchronous event or notification thread java.lang.StackOverflowError: null at java.base/java.io.ObjectInputStream$BlockDataInputStream.readUnsignedShort(Unknown Source) at java.base/java.io.ObjectInputStream$BlockDataInputStream.readUTF(Unknown Source) at java.base/java.io.ObjectInputStream.readUTF(Unknown Source) at java.base/java.io.ObjectStreamClass.readNonProxy(Unknown Source) at java.base/java.io.ObjectInputStream.readClassDescriptor(Unknown Source) at java.base/java.io.ObjectInputStream.readNonProxyDesc(Unknown Source) at java.base/java.io.ObjectInputStream.readClassDesc(Unknown Source) at java.base/java.io.ObjectInputStream.readEnum(Unknown Source) at java.base/java.io.ObjectInputStream.readObject0(Unknown Source) at java.base/java.io.ObjectInputStream$FieldValues.<init>(Unknown Source) at java.base/java.io.ObjectInputStream.readSerialData(Unknown Source) at java.base/java.io.ObjectInputStream.readOrdinaryObject(Unknown Source) at java.base/java.io.ObjectInputStream.readObject0(Unknown Source) at java.base/java.io.ObjectInputStream.readObject(Unknown Source) at java.base/java.io.ObjectInputStream.readObject(Unknown Source) at java.base/java.util.ArrayList.readObject(Unknown Source) at java.base/jdk.internal.reflect.GeneratedMethodAccessor199.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.base/java.lang.reflect.Method.invoke(Unknown Source) at java.base/java.io.ObjectStreamClass.invokeReadObject(Unknown Source) at java.base/java.io.ObjectInputStream.readSerialData(Unknown Source) at java.base/java.io.ObjectInputStream.readOrdinaryObject(Unknown Source) at java.base/java.io.ObjectInputStream.readObject0(Unknown Source) at java.base/java.io.ObjectInputStream.readObject(Unknown Source) at java.base/java.io.ObjectInputStream.readObject(Unknown Source) at org.datanucleus.store.rdbms.mapping.column.BlobImpl.getObject(BlobImpl.java:120) at org.datanucleus.store.rdbms.mapping.column.AbstractLargeBinaryColumnMapping.getObjectForBytes(AbstractLargeBinaryColumnMapping.java:255) at org.datanucleus.store.rdbms.mapping.column.AbstractLargeBinaryColumnMapping.getObject(AbstractLargeBinaryColumnMapping.java:389) at org.datanucleus.store.rdbms.mapping.java.AbstractContainerMapping.getObject(AbstractContainerMapping.java:281) at org.datanucleus.store.rdbms.fieldmanager.ResultSetGetter.fetchObjectField(ResultSetGetter.java:181) at org.datanucleus.state.StateManagerImpl.replacingObjectField(StateManagerImpl.java:2045) at org.dependencytrack.model.Component.dnReplaceField(Component.java) at org.dependencytrack.model.Component.dnReplaceFields(Component.java) at org.datanucleus.state.StateManagerImpl.replaceFields(StateManagerImpl.java:4342) at org.datanucleus.state.StateManagerImpl.replaceFields(StateManagerImpl.java:4366) at org.datanucleus.store.rdbms.request.FetchRequest.execute(FetchRequest.java:502) at org.datanucleus.store.rdbms.RDBMSPersistenceHandler.fetchObject(RDBMSPersistenceHandler.java:354) at org.datanucleus.state.StateManagerImpl.loadFieldsFromDatastore(StateManagerImpl.java:1608) at org.datanucleus.state.StateManagerImpl.refreshFieldsInFetchPlan(StateManagerImpl.java:4007) at org.datanucleus.api.jdo.state.PersistentNontransactional.transitionRefresh(PersistentNontransactional.java:93) at org.datanucleus.state.StateManagerImpl.refresh(StateManagerImpl.java:1007) at org.datanucleus.ExecutionContextImpl.refreshObject(ExecutionContextImpl.java:1602) at org.datanucleus.api.jdo.JDOPersistenceManager.jdoRefresh(JDOPersistenceManager.java:490) at org.datanucleus.api.jdo.JDOPersistenceManager.refresh(JDOPersistenceManager.java:507) at alpine.persistence.AbstractAlpineQueryManager.persist(AbstractAlpineQueryManager.java:430) at org.dependencytrack.persistence.ComponentQueryManager.createComponent(ComponentQueryManager.java:306) at org.dependencytrack.persistence.QueryManager.createComponent(QueryManager.java:516) at org.dependencytrack.tasks.BomUploadProcessingTask.processComponent(BomUploadProcessingTask.java:206) at org.dependencytrack.tasks.BomUploadProcessingTask.processComponent(BomUploadProcessingTask.java:216)

Steps to Reproduce

  1. use the provided sbom
  2. upload it 1 time, it works fine
  3. upload it a 2nd time, then you got the stack trace in the logs.

Expected Behavior

the analysis should be executed and the results shown

Dependency-Track Version

4.8.2

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

nluzgin commented 1 week ago

Got the same issue only for GO projects. In logs this looks like this:

First upload: 2024-09-30 11:58:58,800 INFO [BomUploadProcessingTask] Processing CycloneDX dependency graph for project: 188c00b2-e440-4ae3-abcc-5f68e36afdc1 2024-09-30 11:58:58,884 INFO [BomUploadProcessingTask] Processed 429 components and 0 services uploaded to project 188c00b2-e440-4ae3-abcc-5f68e36afdc1 2024-09-30 11:58:58,884 INFO [RepositoryMetaAnalyzerTask] Performing component repository metadata analysis against 429 components 2024-09-30 11:58:59,112 INFO [InternalAnalysisTask] Starting internal analysis task 2024-09-30 11:58:59,112 INFO [InternalAnalysisTask] Analyzing 429 component(s) 2024-09-30 11:59:00,068 INFO [InternalAnalysisTask] Internal analysis complete

Second upload leed to errors:

024-09-30 12:25:58,812 INFO [BomUploadProcessingTask] Processing CycloneDX BOM uploaded to project: 188c00b2-e440-4ae3-abcc-5f68e36afdc1 2024-09-30 12:26:10,553 ERROR [LoggableUncaughtExceptionHandler] An unknown error occurred in an asynchronous event or notification thread java.lang.StackOverflowError: null at java.base/sun.nio.ch.Util.offerFirstTemporaryDirectBuffer(Unknown Source) at java.base/sun.nio.ch.NioSocketImpl.tryRead(Unknown Source) at java.base/sun.nio.ch.NioSocketImpl.implRead(Unknown Source) at java.base/sun.nio.ch.NioSocketImpl.read(Unknown Source) at java.base/sun.nio.ch.NioSocketImpl$1.read(Unknown Source) at java.base/java.net.Socket$SocketInputStream.read(Unknown Source) at org.postgresql.core.VisibleBufferedInputStream.readMore(VisibleBufferedInputStream.java:162) at org.postgresql.core.VisibleBufferedInputStream.ensureBytes(VisibleBufferedInputStream.java:129) at org.postgresql.core.VisibleBufferedInputStream.ensureBytes(VisibleBufferedInputStream.java:114) at org.postgresql.core.VisibleBufferedInputStream.read(VisibleBufferedInputStream.java:74) at org.postgresql.core.PGStream.receiveChar(PGStream.java:467) at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2166) at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:371) at org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:502) at org.postgresql.jdbc.PgStatement.execute(PgStatement.java:419) at org.postgresql.jdbc.PgStatement.executeWithFlags(PgStatement.java:341) at org.postgresql.jdbc.PgStatement.executeCachedSql(PgStatement.java:326) at org.postgresql.jdbc.PgStatement.executeWithFlags(PgStatement.java:302) at org.postgresql.jdbc.PgConnection.execSQLQuery(PgConnection.java:582) at org.postgresql.jdbc.PgConnection.execSQLQuery(PgConnection.java:575) at org.postgresql.jdbc.PgConnection.getTransactionIsolation(PgConnection.java:1041) at com.zaxxer.hikari.pool.HikariProxyConnection.getTransactionIsolation(HikariProxyConnection.java) at org.datanucleus.store.rdbms.ConnectionFactoryImpl$ManagedConnectionImpl.getConnection(ConnectionFactoryImpl.java:445) at org.datanucleus.store.rdbms.SQLController.getStatementForQuery(SQLController.java:319) at org.datanucleus.store.rdbms.SQLController.getStatementForQuery(SQLController.java:304) at org.datanucleus.store.rdbms.request.FetchRequest.execute(FetchRequest.java:430) at org.datanucleus.store.rdbms.RDBMSPersistenceHandler.fetchObject(RDBMSPersistenceHandler.java:427) at org.datanucleus.state.StateManagerImpl.loadFieldsFromDatastore(StateManagerImpl.java:1632) at org.datanucleus.state.StateManagerImpl.refreshFieldsInFetchPlan(StateManagerImpl.java:4034) at org.datanucleus.api.jdo.state.PersistentNontransactional.transitionRefresh(PersistentNontransactional.java:93) at org.datanucleus.state.StateManagerImpl.refresh(StateManagerImpl.java:1031) at org.datanucleus.ExecutionContextImpl.refreshObject(ExecutionContextImpl.java:1664) at org.datanucleus.api.jdo.JDOPersistenceManager.jdoRefresh(JDOPersistenceManager.java:490) at org.datanucleus.api.jdo.JDOPersistenceManager.refresh(JDOPersistenceManager.java:507) at alpine.persistence.AbstractAlpineQueryManager.persist(AbstractAlpineQueryManager.java:430) at org.dependencytrack.persistence.ComponentQueryManager.createComponent(ComponentQueryManager.java:348) at org.dependencytrack.persistence.QueryManager.createComponent(QueryManager.java:565) at org.dependencytrack.tasks.BomUploadProcessingTask.processComponent(BomUploadProcessingTask.java:252) at org.dependencytrack.tasks.BomUploadProcessingTask.processComponent(BomUploadProcessingTask.java:262) at org.dependencytrack.tasks.BomUploadProcessingTask.processComponent(BomUploadProcessingTask.java:262) at org.dependencytrack.tasks.BomUploadProcessingTask.processComponent(BomUploadProcessingTask.java:262) at org.dependencytrack.tasks.BomUploadProcessingTask.processComponent(BomUploadProcessingTask.java:262) at org.dependencytrack.tasks.BomUploadProcessingTask.processComponent(BomUploadProcessingTask.java:262) at org.dependencytrack.tasks.BomUploadProcessingTask.processComponent(BomUploadProcessingTask.java:262) at org.dependencytrack.tasks.BomUploadProcessingTask.processComponent(BomUploadProcessingTask.java:262) at org.dependencytrack.tasks.BomUploadProcessingTask.processComponent(BomUploadProcessingTask.java:262) at org.dependencytrack.tasks.BomUploadProcessingTask.processComponent(BomUploadProcessingTask.java:262) at org.dependencytrack.tasks.BomUploadProcessingTask.processComponent(BomUploadProcessingTask.java:262) at org.dependencytrack.tasks.BomUploadProcessingTask.processComponent(BomUploadProcessingTask.java:262) at org.dependencytrack.tasks.BomUploadProcessingTask.processComponent(BomUploadProcessingTask.java:262) at org.dependencytrack.tasks.BomUploadProcessingTask.processComponent(BomUploadProcessingTask.java:262) at org.dependencytrack.tasks.BomUploadProcessingTask.processComponent(BomUploadProcessingTask.java:262) at org.dependencytrack.tasks.BomUploadProcessingTask.processComponent(BomUploadProcessingTask.java:262) at org.dependencytrack.tasks.BomUploadProcessingTask.processComponent(BomUploadProcessingTask.java:262) at org.dependencytrack.tasks.BomUploadProcessingTask.processComponent(BomUploadProcessingTask.java:262) at org.dependencytrack.tasks.BomUploadProcessingTask.processComponent(BomUploadProcessingTask.java:262) at org.dependencytrack.tasks.BomUploadProcessingTask.processComponent(BomUploadProcessingTask.java:262)

P.S. DepTrack Version: 4.11.7

P.P.S. Bom was generated by https://github.com/CycloneDX/cyclonedx-gomod (1.7.0 with 1.6 version) and merged by https://github.com/CycloneDX/cyclonedx-cli (0.27.1)

nluzgin commented 1 week ago

UPDATE:

Some strange thing are happens=))

We have 428 components, with duplication of some of them: image

I select first 100 rows and trying to delete them. Some of thes is deleted and i see some 500 errors:

image

New upload leeds to no duplications, but i still can not delete component - 500

image

image

If check logs of backend for 500 erros: empty

P.S. And there is only one definition of component in SBOM (can't provide it, cause production data) image 1 match by "components" section and other matches only in "dependency" blocks image