search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.61k stars 552 forks source link

Error during the OSV download task for the GIT ecosystem #3826

Closed VinodAnandan closed 1 day ago

VinodAnandan commented 3 months ago

Current Behavior

OsvDownloadTask for the GIT ecosystem is erroring out folllowing in the logs.

“2024-06-09 20:47:47,873 INFO [OsvDownloadTask] Updating datasource with Google OSV advisories for ecosystem GIT 2024-06-09 20:48:07,444 ERROR [OsvDownloadTask] Exception while executing Http client request java.lang.IndexOutOfBoundsException: Index 0 out of bounds for length 0 at java.base/jdk.internal.util.Preconditions.outOfBounds(Unknown Source) at java.base/jdk.internal.util.Preconditions.outOfBoundsCheckIndex(Unknown Source) at java.base/jdk.internal.util.Preconditions.checkIndex(Unknown Source) at java.base/java.util.Objects.checkIndex(Unknown Source) at java.base/java.util.ArrayList.get(Unknown Source) at org.dependencytrack.tasks.OsvDownloadTask.calculateOSVSeverity(OsvDownloadTask.java:300) at org.dependencytrack.tasks.OsvDownloadTask.mapAdvisoryToVulnerability(OsvDownloadTask.java:259) at org.dependencytrack.tasks.OsvDownloadTask.updateDatasource(OsvDownloadTask.java:164) at org.dependencytrack.tasks.OsvDownloadTask.unzipFolder(OsvDownloadTask.java:151) at org.dependencytrack.tasks.OsvDownloadTask.inform(OsvDownloadTask.java:121) at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:110) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.base/java.lang.Thread.run(Unknown Source)”

Steps to Reproduce

  1. Enable OSV mirroring with the Git ecosystem.
  2. Check the OSV mirroring logs.

Expected Behavior

OsvDownloadTask successfully completed the download.

Dependency-Track Version

4.11.3

Dependency-Track Distribution

Container Image

Database Server

H2

Database Server Version

No response

Browser

Google Chrome

Checklist

lukas-braune commented 3 months ago

We're also mirroring OSV, including the GIT ecosystem, and have not encountered any such issues.

Pabloo-ss commented 3 months ago

Same error with Alpine and Debian envs

peterakimball commented 1 day ago

Added a pull request to address this issue. Feedback welcome!