Closed buke-narlitepe-itk closed 2 weeks ago
we receive a parse error from your API.
Can you share the exact error you'e getting?
It's a parsing bug in the CycloneDX library: https://github.com/CycloneDX/cyclonedx-core-java/issues/507
we receive a parse error from your API.
Can you share the exact error you'e getting?
Thanks for the reply. The error I get is as follows:
2024-10-08 09:22:30,920 ERROR [BomUploadProcessingTask] Error while processing bom 2024-10-08 11:22:30 org.cyclonedx.exception.ParseException: Unable to parse BOM from byte array 2024-10-08 11:22:30 at org.cyclonedx.parsers.JsonParser.parse(JsonParser.java:72) 2024-10-08 11:22:30 at org.dependencytrack.tasks.BomUploadProcessingTask.inform(BomUploadProcessingTask.java:111) 2024-10-08 11:22:30 at org.dependencytrack.tasks.BomUploadProcessingTaskV2.inform(BomUploadProcessingTaskV2.java:151) 2024-10-08 11:22:30 at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:110) 2024-10-08 11:22:30 at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) 2024-10-08 11:22:30 at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) 2024-10-08 11:22:30 at java.base/java.lang.Thread.run(Unknown Source) 2024-10-08 11:22:30 Caused by: com.fasterxml.jackson.databind.JsonMappingException: Cannot invoke "com.fasterxml.jackson.databind.JsonNode.asText()" because the return value of "com.fasterxml.jackson.databind.JsonNode.get(String)" is null (through reference chain: org.cyclonedx.model.Bom["components"]->java.util.ArrayList[1]->org.cyclonedx.model.Component["licenses"]->org.cyclonedx.model.License["licensing"]->org.cyclonedx.model.Licensing["purchaser"]) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:402) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:361) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.wrapAndThrow(BeanDeserializerBase.java:1937) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:312) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:177) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:310) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:177) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:342) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.ObjectMapper._readValue(ObjectMapper.java:4881) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3035) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.ObjectMapper.treeToValue(ObjectMapper.java:3499) 2024-10-08 11:22:30 at org.cyclonedx.util.deserializer.LicenseDeserializer.processLicenseNode(LicenseDeserializer.java:77) 2024-10-08 11:22:30 at org.cyclonedx.util.deserializer.LicenseDeserializer.deserialize(LicenseDeserializer.java:64) 2024-10-08 11:22:30 at org.cyclonedx.util.deserializer.LicenseDeserializer.deserialize(LicenseDeserializer.java:34) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:310) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:177) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer._deserializeFromArray(CollectionDeserializer.java:361) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:246) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:30) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:310) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:177) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:342) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4905) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3909) 2024-10-08 11:22:30 at org.cyclonedx.parsers.JsonParser.parse(JsonParser.java:70) 2024-10-08 11:22:30 ... 6 common frames omitted 2024-10-08 11:22:30 Caused by: java.lang.NullPointerException: Cannot invoke "com.fasterxml.jackson.databind.JsonNode.asText()" because the return value of "com.fasterxml.jackson.databind.JsonNode.get(String)" is null 2024-10-08 11:22:30 at org.cyclonedx.util.deserializer.OrganizationalChoiceDeserializer.deserializeOrganization(OrganizationalChoiceDeserializer.java:54) 2024-10-08 11:22:30 at org.cyclonedx.util.deserializer.OrganizationalChoiceDeserializer.deserialize(OrganizationalChoiceDeserializer.java:45) 2024-10-08 11:22:30 at org.cyclonedx.util.deserializer.OrganizationalChoiceDeserializer.deserialize(OrganizationalChoiceDeserializer.java:32) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:310) 2024-10-08 11:22:30 ... 30 common frames omitted
It's a parsing bug in the CycloneDX library: CycloneDX/cyclonedx-core-java#507
So that means, this bug is now resolved with Hotfix-PR? https://github.com/CycloneDX/cyclonedx-core-java/pull/508
Current Behavior
When we upload SBOM file in CycloneDX ( 1.5 version) format to the tool, we do not get any results. Instead, we receive a parse error from your API. Once we examine further: if any component contains the following section, API throws an error:
When we remove the above part from the component section, the analysis can be completed as expected. Additionally, there is another component in SBOM file that has already vulnerabilities. Due to this error, its analysis is also skipped.
Proposed Behavior
If there is an error or omission in SBOM file that could disrupt the analysis, it would be better, that the error message was more descriptive. At least the analysis results of the other component can be given, and the error of the faulty component can be thrown as a response in more descriptive way. We would also like to know why such an error occurred.
Checklist