search

dependency-check / azuredevops

Dependency Check Azure DevOps Extension
Apache License 2.0
47 stars 25 forks source link

Error running dependency-check-build-task against dotnet 5 application #78

Closed icecoldfire closed 3 years ago

icecoldfire commented 3 years ago

After upgrading our applications to dotnet 5 we get errors when running dependency-check-build-task against our application.

It looks like this issue is already resolved upstream: https://github.com/jeremylong/DependencyCheck/issues/3306

Is it possible to upgrade this dependency to a version witch includes these patches?

YAML File

  - task: dependency-check-build-task@5
    inputs:
      projectName: 'Base'
      scanPath: 'src/**/*.csproj'
      format: 'HTML, JSON, JUNIT'
      failOnCVSS: '8'
      additionalArguments: '--suppression $(System.DefaultWorkingDirectory)/src/Api/suppressions.xml'

Log

2021-05-09T12:07:27.7483760Z ##[section]Starting: dependencycheckbuildtask
2021-05-09T12:07:27.7506414Z ==============================================================================
2021-05-09T12:07:27.7506732Z Task         : OWASP Dependency Check
2021-05-09T12:07:27.7507181Z Description  : Dependency Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies.
2021-05-09T12:07:27.7507601Z Version      : 5.6.3
2021-05-09T12:07:27.7507796Z Author       : Dependency Check
2021-05-09T12:07:27.7508105Z Help         : [More Information](https://jeremylong.github.io/DependencyCheck/index.html)
2021-05-09T12:07:27.7508472Z ==============================================================================
2021-05-09T12:07:30.2792488Z Starting Dependency Check...
2021-05-09T12:07:30.3360791Z Setting report directory to C:\azp\agent\_work\129\TestResults\dependency-check
2021-05-09T12:07:30.3377520Z Creating report directory at C:\azp\agent\_work\129\TestResults\dependency-check
2021-05-09T12:07:30.3952944Z 
2021-05-09T12:07:30.3990258Z 
2021-05-09T12:07:30.4072712Z     Directory: C:\azp\agent\_work\129\TestResults
2021-05-09T12:07:30.4073554Z 
2021-05-09T12:07:30.4073939Z 
2021-05-09T12:07:30.4150957Z Mode                 LastWriteTime         Length Name                                                                 
2021-05-09T12:07:30.4159664Z ----                 -------------         ------ ----                                                                 
2021-05-09T12:07:30.4184100Z d-----          5/9/2021   2:07 PM                dependency-check                                                     
2021-05-09T12:07:30.4422467Z Downloading Dependency Check v6.0.2 installer from GitHub...
2021-05-09T12:07:35.1012399Z Dependency Check installer set to C:\azp\agent\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\5.6.3\dependency-check\bin\dependency-check.bat
2021-05-09T12:07:35.1022797Z Invoking Dependency Check...
2021-05-09T12:07:35.1029762Z Path: C:\azp\agent\_work\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\5.6.3\dependency-check\bin\dependency-check.bat
2021-05-09T12:07:35.1036140Z Arguments: --project "Base" --scan "C:\azp\agent\_work\129\s\src\**\*.csproj" --out "C:\azp\agent\_work\129\TestResults\dependency-check" --format HTML --format  JSON --format  JUNIT --failOnCVSS 8 --suppression C:\azp\agent\_work\129\s/src/Api/suppressions.xml
2021-05-09T12:07:35.6397777Z Dependency-Check Core version 6.0.2
2021-05-09T12:07:45.5061357Z [INFO] Checking for updates
2021-05-09T12:07:55.1135280Z [INFO] NVD CVE requires several updates; this could take a couple of minutes.
2021-05-09T12:07:55.1178119Z [INFO] Download Started for NVD CVE - 2002
2021-05-09T12:07:55.1178685Z [INFO] Download Started for NVD CVE - 2003
2021-05-09T12:07:56.2136674Z [INFO] Download Complete for NVD CVE - 2003  (1094 ms)
2021-05-09T12:07:56.2138065Z [INFO] Download Started for NVD CVE - 2004
2021-05-09T12:07:56.2142760Z [INFO] Processing Started for NVD CVE - 2003
2021-05-09T12:07:56.2680181Z WARNING: An illegal reflective access operation has occurred
2021-05-09T12:07:56.2681364Z WARNING: Illegal reflective access by com.fasterxml.jackson.module.afterburner.util.MyClassLoader (file:/C:/azp/agent/_work/_tasks/dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72/5.6.3/dependency-check/lib/jackson-module-afterburner-2.11.2.jar) to method java.lang.ClassLoader.findLoadedClass(java.lang.String)
2021-05-09T12:07:56.2682533Z WARNING: Please consider reporting this to the maintainers of com.fasterxml.jackson.module.afterburner.util.MyClassLoader
2021-05-09T12:07:56.2683253Z WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
2021-05-09T12:07:56.2683791Z WARNING: All illegal access operations will be denied in a future release
2021-05-09T12:07:56.8450820Z [INFO] Download Complete for NVD CVE - 2002  (1734 ms)
2021-05-09T12:07:56.8585462Z [INFO] Download Started for NVD CVE - 2005
2021-05-09T12:07:56.8897668Z [INFO] Processing Started for NVD CVE - 2002
2021-05-09T12:07:57.4162151Z [INFO] Download Complete for NVD CVE - 2004  (1197 ms)
2021-05-09T12:07:57.4983966Z [INFO] Download Started for NVD CVE - 2006
2021-05-09T12:07:58.1356793Z [INFO] Download Complete for NVD CVE - 2005  (1281 ms)
2021-05-09T12:07:58.1580793Z [INFO] Download Started for NVD CVE - 2007
2021-05-09T12:07:59.1495820Z [INFO] Download Complete for NVD CVE - 2006  (1604 ms)
2021-05-09T12:07:59.2032454Z [INFO] Download Started for NVD CVE - 2008
2021-05-09T12:08:00.9835663Z [INFO] Download Complete for NVD CVE - 2008  (1790 ms)
2021-05-09T12:08:00.9836492Z [INFO] Download Started for NVD CVE - 2009
2021-05-09T12:08:01.1132409Z [INFO] Download Complete for NVD CVE - 2007  (2961 ms)
2021-05-09T12:08:01.1138952Z [INFO] Download Started for NVD CVE - 2010
2021-05-09T12:08:01.7689044Z [INFO] Processing Complete for NVD CVE - 2003  (5440 ms)
2021-05-09T12:08:01.7817257Z [INFO] Processing Started for NVD CVE - 2004
2021-05-09T12:08:02.6350837Z [INFO] Download Complete for NVD CVE - 2009  (1641 ms)
2021-05-09T12:08:02.6527667Z [INFO] Download Started for NVD CVE - 2011
2021-05-09T12:08:02.9303732Z [INFO] Download Complete for NVD CVE - 2010  (1828 ms)
2021-05-09T12:08:02.9342305Z [INFO] Download Started for NVD CVE - 2012
2021-05-09T12:08:04.8819033Z [INFO] Download Complete for NVD CVE - 2012  (1932 ms)
2021-05-09T12:08:04.8820029Z [INFO] Download Started for NVD CVE - 2013
2021-05-09T12:08:04.8820469Z [INFO] Download Complete for NVD CVE - 2011  (2225 ms)
2021-05-09T12:08:04.9092598Z [INFO] Download Started for NVD CVE - 2014
2021-05-09T12:08:06.6261142Z [INFO] Download Complete for NVD CVE - 2013  (1745 ms)
2021-05-09T12:08:06.6267376Z [INFO] Download Started for NVD CVE - 2015
2021-05-09T12:08:07.2699419Z [INFO] Processing Complete for NVD CVE - 2004  (5591 ms)
2021-05-09T12:08:07.2700394Z [INFO] Processing Started for NVD CVE - 2005
2021-05-09T12:08:07.2904976Z [INFO] Download Complete for NVD CVE - 2014  (2379 ms)
2021-05-09T12:08:07.2906195Z [INFO] Download Started for NVD CVE - 2016
2021-05-09T12:08:08.0501391Z [INFO] Processing Complete for NVD CVE - 2002  (11047 ms)
2021-05-09T12:08:08.0999646Z [INFO] Processing Started for NVD CVE - 2006
2021-05-09T12:08:08.1000386Z [INFO] Download Complete for NVD CVE - 2015  (1475 ms)
2021-05-09T12:08:08.1760950Z [INFO] Download Started for NVD CVE - 2017
2021-05-09T12:08:08.7198105Z [INFO] Download Complete for NVD CVE - 2016  (1439 ms)
2021-05-09T12:08:08.7215216Z [INFO] Download Started for NVD CVE - 2018
2021-05-09T12:08:10.7160917Z [INFO] Download Complete for NVD CVE - 2017  (2542 ms)
2021-05-09T12:08:10.7173425Z [INFO] Download Started for NVD CVE - 2019
2021-05-09T12:08:11.2426727Z [INFO] Download Complete for NVD CVE - 2018  (2521 ms)
2021-05-09T12:08:11.2702719Z [INFO] Download Started for NVD CVE - 2020
2021-05-09T12:08:12.6490268Z [INFO] Download Complete for NVD CVE - 2019  (1932 ms)
2021-05-09T12:08:12.6491654Z [INFO] Download Started for NVD CVE - 2021
2021-05-09T12:08:14.0745689Z [INFO] Download Complete for NVD CVE - 2021  (1426 ms)
2021-05-09T12:08:15.4127499Z [INFO] Processing Complete for NVD CVE - 2005  (8166 ms)
2021-05-09T12:08:15.4128228Z [INFO] Processing Started for NVD CVE - 2008
2021-05-09T12:08:17.9381007Z [INFO] Download Complete for NVD CVE - 2020  (6679 ms)
2021-05-09T12:08:21.1492548Z [INFO] Processing Complete for NVD CVE - 2006  (13231 ms)
2021-05-09T12:08:21.1493349Z [INFO] Processing Started for NVD CVE - 2007
2021-05-09T12:08:29.3665901Z [INFO] Processing Complete for NVD CVE - 2008  (13943 ms)
2021-05-09T12:08:29.3666709Z [INFO] Processing Started for NVD CVE - 2009
2021-05-09T12:08:34.4975420Z [INFO] Processing Complete for NVD CVE - 2007  (13350 ms)
2021-05-09T12:08:34.4976183Z [INFO] Processing Started for NVD CVE - 2010
2021-05-09T12:08:44.2600146Z [INFO] Processing Complete for NVD CVE - 2009  (14890 ms)
2021-05-09T12:08:44.2743349Z [INFO] Processing Started for NVD CVE - 2012
2021-05-09T12:08:52.5767225Z [INFO] Processing Complete for NVD CVE - 2010  (18070 ms)
2021-05-09T12:08:52.5808645Z [INFO] Processing Started for NVD CVE - 2011
2021-05-09T12:09:08.2815293Z [INFO] Processing Complete for NVD CVE - 2012  (23997 ms)
2021-05-09T12:09:08.2822036Z [INFO] Processing Started for NVD CVE - 2013
2021-05-09T12:09:12.8072992Z [INFO] Processing Complete for NVD CVE - 2011  (20232 ms)
2021-05-09T12:09:12.8074134Z [INFO] Processing Started for NVD CVE - 2014
2021-05-09T12:09:27.6574716Z [INFO] Processing Complete for NVD CVE - 2013  (19401 ms)
2021-05-09T12:09:27.6705731Z [INFO] Processing Started for NVD CVE - 2015
2021-05-09T12:09:32.9432801Z [INFO] Processing Complete for NVD CVE - 2014  (20148 ms)
2021-05-09T12:09:32.9433497Z [INFO] Processing Started for NVD CVE - 2016
2021-05-09T12:09:37.1818183Z [INFO] Processing Started for NVD CVE - 2017
2021-05-09T12:09:40.9740333Z [INFO] Processing Complete for NVD CVE - 2015  (13311 ms)
2021-05-09T12:09:40.9740804Z [INFO] Processing Started for NVD CVE - 2018
2021-05-09T12:09:54.7723632Z [INFO] Processing Complete for NVD CVE - 2017  (17593 ms)
2021-05-09T12:09:54.7724412Z [INFO] Processing Started for NVD CVE - 2019
2021-05-09T12:09:59.2873019Z [INFO] Processing Complete for NVD CVE - 2018  (18331 ms)
2021-05-09T12:09:59.3031893Z [INFO] Processing Started for NVD CVE - 2021
2021-05-09T12:09:59.7428943Z [INFO] Processing Started for NVD CVE - 2020
2021-05-09T12:10:10.2897280Z [INFO] Processing Complete for NVD CVE - 2019  (15519 ms)
2021-05-09T12:10:10.2915919Z [ERROR] java.util.concurrent.ExecutionException: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because the return value of "org.owasp.dependencycheck.data.nvd.json.DefCpeMatch.getCpe23Uri()" is null
2021-05-09T12:10:10.2917069Z org.owasp.dependencycheck.data.update.exception.UpdateException: java.util.concurrent.ExecutionException: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because the return value of "org.owasp.dependencycheck.data.nvd.json.DefCpeMatch.getCpe23Uri()" is null
2021-05-09T12:10:10.2919514Z    at org.owasp.dependencycheck.data.update.NvdCveUpdater.performUpdate(NvdCveUpdater.java:298)
2021-05-09T12:10:10.2922418Z    at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:125)
2021-05-09T12:10:10.2922983Z    at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:855)
2021-05-09T12:10:10.2923506Z    at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:662)
2021-05-09T12:10:10.2924039Z    at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:592)
2021-05-09T12:10:10.2924510Z    at org.owasp.dependencycheck.App.runScan(App.java:254)
2021-05-09T12:10:10.2924954Z    at org.owasp.dependencycheck.App.run(App.java:186)
2021-05-09T12:10:10.2927707Z    at org.owasp.dependencycheck.App.main(App.java:81)
2021-05-09T12:10:10.2928444Z Caused by: java.util.concurrent.ExecutionException: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because the return value of "org.owasp.dependencycheck.data.nvd.json.DefCpeMatch.getCpe23Uri()" is null
2021-05-09T12:10:10.2960628Z    at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
2021-05-09T12:10:10.2961229Z    at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
2021-05-09T12:10:10.2961789Z    at org.owasp.dependencycheck.data.update.NvdCveUpdater.performUpdate(NvdCveUpdater.java:288)
2021-05-09T12:10:10.2966594Z    ... 7 common frames omitted
2021-05-09T12:10:10.2967277Z Caused by: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because the return value of "org.owasp.dependencycheck.data.nvd.json.DefCpeMatch.getCpe23Uri()" is null
2021-05-09T12:10:10.2968060Z    at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.lambda$testCveCpeStartWithFilter$0(NvdCveParser.java:149)
2021-05-09T12:10:10.2968660Z    at java.base/java.util.stream.MatchOps$1MatchSink.accept(MatchOps.java:90)
2021-05-09T12:10:10.2969191Z    at java.base/java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1602)
2021-05-09T12:10:10.2969847Z    at java.base/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:127)
2021-05-09T12:10:10.2970512Z    at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:502)
2021-05-09T12:10:10.2971009Z    at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:488)
2021-05-09T12:10:10.2971481Z    at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
2021-05-09T12:10:10.2971952Z    at java.base/java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:230)
2021-05-09T12:10:10.2972650Z    at java.base/java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:196)
2021-05-09T12:10:10.2973147Z    at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
2021-05-09T12:10:10.2973608Z    at java.base/java.util.stream.ReferencePipeline.anyMatch(ReferencePipeline.java:528)
2021-05-09T12:10:10.2974111Z    at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.testCveCpeStartWithFilter(NvdCveParser.java:149)
2021-05-09T12:10:10.2974631Z    at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.parse(NvdCveParser.java:100)
2021-05-09T12:10:10.2975108Z    at org.owasp.dependencycheck.data.update.nvd.ProcessTask.importJSON(ProcessTask.java:139)
2021-05-09T12:10:10.2975593Z    at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles(ProcessTask.java:152)
2021-05-09T12:10:10.2976073Z    at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:113)
2021-05-09T12:10:10.2976537Z    at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:40)
2021-05-09T12:10:10.2976963Z    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
2021-05-09T12:10:10.2977414Z    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
2021-05-09T12:10:10.2977910Z    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
2021-05-09T12:10:10.2978413Z    at java.base/java.lang.Thread.run(Thread.java:832)
2021-05-09T12:10:11.0629791Z [ERROR] There was an error attempting to close the CveDB, see the log for more details.
2021-05-09T12:10:11.0630350Z [WARN] Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
2021-05-09T12:10:11.0630774Z [ERROR] Unable to continue dependency-check analysis.
2021-05-09T12:10:11.1893613Z [ERROR] One or more fatal errors occurred
2021-05-09T12:10:11.1894631Z [ERROR] java.util.concurrent.ExecutionException: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because the return value of "org.owasp.dependencycheck.data.nvd.json.DefCpeMatch.getCpe23Uri()" is null
2021-05-09T12:10:11.1895297Z [ERROR] No documents exist
2021-05-09T12:10:11.9392672Z Dependency Check completed with exit code -13.
2021-05-09T12:10:11.9399520Z Dependency check reports:
2021-05-09T12:10:11.9802879Z ##[error]Dependency Check exited with an error code.
2021-05-09T12:10:11.9927767Z Ending Dependency Check...
2021-05-09T12:10:11.9928130Z 
2021-05-09T12:10:11.9928356Z 
2021-05-09T12:10:12.0357305Z ##[section]Finishing: dependencycheckbuildtask
alaincroisetiere commented 3 years ago

Yes, update the dependency-check-build-task to v6.

icecoldfire commented 3 years ago

Hey,

A simple upgrade to v6 fixed it indeed, thank you for the support!

I was confused because in the screenshots (https://raw.githubusercontent.com/dependency-check/azuredevops/main/screenshots/buildtask-configure.png) it is still version 5.