search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
5.96k stars 1.21k forks source link

NullPointerException in Jenkins plugin #23

Closed eoftedal closed 10 years ago

eoftedal commented 10 years ago 
ERROR: Processing failed due to a bug in the code. Please report this to jenkinsci-users@googlegroups.com
java.lang.NullPointerException
at org.owasp.dependencycheck.data.cpe.CpeIndexReader.search(CpeIndexReader.java:122)
at org.owasp.dependencycheck.analyzer.CPEAnalyzer.searchCPE(CPEAnalyzer.java:272)
at org.owasp.dependencycheck.analyzer.CPEAnalyzer.determineCPE(CPEAnalyzer.java:172)
at org.owasp.dependencycheck.analyzer.CPEAnalyzer.analyze(CPEAnalyzer.java:485)
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:313)
at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.executeDependencyCheck(DependencyCheckExecutor.java:85)
at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.performBuild(DependencyCheckExecutor.java:66)
at org.jenkinsci.plugins.DependencyCheck.DependencyCheckBuilder$1.call(DependencyCheckBuilder.java:137)
at org.jenkinsci.plugins.DependencyCheck.DependencyCheckBuilder$1.call(DependencyCheckBuilder.java:134)
at hudson.remoting.LocalChannel.call(LocalChannel.java:45)
at org.jenkinsci.plugins.DependencyCheck.DependencyCheckBuilder.perform(DependencyCheckBuilder.java:134)
at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:782)
at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.build(MavenModuleSetBuild.java:876)
at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.doRun(MavenModuleSetBuild.java:647)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:567)
at hudson.model.Run.execute(Run.java:1603)
at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:506)
at hudson.model.ResourceController.execute(ResourceController.java:88)
at hudson.model.Executor.run(Executor.java:246)
stevespringett commented 10 years ago

Erlend,

What version of the Jenkins plugin are you running? The current release is 1.0.2 and incorporates Dependency-Check 1.0.2.

eoftedal commented 10 years ago

I'm using 1.0.2

jeremylong commented 10 years ago

Erlend,

Any chance you could tell me what JAR files were being scanned so that I can try and replicate the bug on my side?

--Jeremy

On Wed, Oct 2, 2013 at 5:46 AM, Erlend Oftedal notifications@github.comwrote:

ERROR: Processing failed due to a bug in the code. Please report this to jenkinsci-users@googlegroups.com java.lang.NullPointerException at org.owasp.dependencycheck.data.cpe.CpeIndexReader.search(CpeIndexReader.java:122) at org.owasp.dependencycheck.analyzer.CPEAnalyzer.searchCPE(CPEAnalyzer.java:272) at org.owasp.dependencycheck.analyzer.CPEAnalyzer.determineCPE(CPEAnalyzer.java:172) at org.owasp.dependencycheck.analyzer.CPEAnalyzer.analyze(CPEAnalyzer.java:485) at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:313) at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.executeDependencyCheck(DependencyCheckExecutor.java:85) at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.performBuild(DependencyCheckExecutor.java:66) at org.jenkinsci.plugins.DependencyCheck.DependencyCheckBuilder$1.call(DependencyCheckBuilder.java:137) at org.jenkinsci.plugins.DependencyCheck.DependencyCheckBuilder$1.call(DependencyCheckBuilder.java:134) at hudson.remoting.LocalChannel.call(LocalChannel.java:45) at org.jenkinsci.plugins.DependencyCheck.DependencyCheckBuilder.perform(DependencyCheckBuilder.java:134) at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20) at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:782) at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.build(MavenModuleSetBuild.java:876) at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.doRun(MavenModuleSetBuild.java:647) at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:567) at hudson.model.Run.execute(Run.java:1603) at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:506) at hudson.model.ResourceController.execute(ResourceController.java:88) at hudson.model.Executor.run(Executor.java:246)

— Reply to this email directly or view it on GitHubhttps://github.com/jeremylong/DependencyCheck/issues/23 .

eoftedal commented 10 years ago

Trying to deploy the latest version to check the repo manually from CLI, but cannot build:

Oct 08, 2013 8:49:44 AM org.owasp.dependencycheck.data.nvdcve.xml.DatabaseUpdater update
INFO: Downloading http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2008.xml
Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 2.733 sec <<< FAILURE!
testUpdate(org.owasp.dependencycheck.data.nvdcve.xml.DatabaseUpdaterIntegrationTest)  Time elapsed: 2.733 sec  <<< ERROR!
java.lang.NoSuchMethodError: org.owasp.dependencycheck.utils.Downloader.fetchFile(Ljava/net/URL;Ljava/io/File;Z)V
at org.owasp.dependencycheck.data.nvdcve.xml.DatabaseUpdater.update(DatabaseUpdater.java:129)
at org.owasp.dependencycheck.data.nvdcve.xml.DatabaseUpdaterIntegrationTest.testUpdate(DatabaseUpdaterIntegrationTest.java:61)

The other test downloading http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2002.xml works though... Strange

jeremylong commented 10 years ago

Erlend,

I will look into this, but I normally clean, delete everything in my local repo, and then 'mvn install' prior to pushing. Hopefully I just had a slight oversight on my last push. Regardless, you can download the command line version from bintray; information on usage of the CLI can be found on the github page: http://jeremylong.github.io/DependencyCheck/dependency-check-cli/installation.html

download the compiled CLI from: http://dl.bintray.com/jeremy-long/owasp/dependency-check-1.0.2-release.zip

--Jeremy

On Tue, Oct 8, 2013 at 4:00 AM, Erlend Oftedal notifications@github.comwrote:

Trying to deploy the latest version to check the repo manually from CLI, but cannot build:

Oct 08, 2013 8:49:44 AM org.owasp.dependencycheck.data.nvdcve.xml.DatabaseUpdater update INFO: Downloading http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2008.xml Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 2.733 sec <<< FAILURE! testUpdate(org.owasp.dependencycheck.data.nvdcve.xml.DatabaseUpdaterIntegrationTest) Time elapsed: 2.733 sec <<< ERROR! java.lang.NoSuchMethodError: org.owasp.dependencycheck.utils.Downloader.fetchFile(Ljava/net/URL;Ljava/io/File;Z)V at org.owasp.dependencycheck.data.nvdcve.xml.DatabaseUpdater.update(DatabaseUpdater.java:129) at org.owasp.dependencycheck.data.nvdcve.xml.DatabaseUpdaterIntegrationTest.testUpdate(DatabaseUpdaterIntegrationTest.java:61)

The other test downloading http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2002.xml works though... Strange

— Reply to this email directly or view it on GitHubhttps://github.com/jeremylong/DependencyCheck/issues/23#issuecomment-25871155 .

eoftedal commented 10 years ago

I built it with mvn install -DskipTests, and got 1.0.3 CLI running. During the scan of my app, it crashed on a .zip-file which isn't a library (not a .jar).

eoftedal commented 10 years ago

Btw, I recloned to make sure I had a clean version, and now it builds without any issues, so that was some leftover data on my side, I guess. Now it builds without errors. So no need to look into that.

The only problem is the crash on scanning zip files.

jeremylong commented 10 years ago

Any chance you could share the zip?

Jeremy On Oct 8, 2013 6:21 AM, "Erlend Oftedal" notifications@github.com wrote:

Btw, I recloned to make sure I had a clean version, and now it builds without any issues, so that was some leftover data on my side, I guess. Now it builds without errors. So no need to look into that.

The only problem is the crash on scanning zip files.

— Reply to this email directly or view it on GitHubhttps://github.com/jeremylong/DependencyCheck/issues/23#issuecomment-25888812 .

eoftedal commented 10 years ago

Actually is says it cannot find a .zip that's within a .zip. Not sure what's going on there. I can send it to you via email.

eoftedal commented 10 years ago

This is the bug I see:

   Oct 09, 2013 7:17:54 AM org.owasp.dependencycheck.analyzer.ArchiveAnalyzer extractFiles
   WARNING: null
   org.owasp.dependencycheck.analyzer.AnalysisException: Unable to find file 'somefile.zip'.
    at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.extractFiles(ArchiveAnalyzer.java:287)
    at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.analyze(ArchiveAnalyzer.java:185)
    at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:313)
    at org.owasp.dependencycheck.App.runScan(App.java:146)
    at org.owasp.dependencycheck.App.run(App.java:123)
    at org.owasp.dependencycheck.App.main(App.java:72)
   Caused by: java.io.FileNotFoundException:/var/folders/9d/k_2v_tpn3jgdq9t7hrj2ycnn5p98bd/T/check7874399254683943295tmp/22/somefile.zip (No such file or directory)
    at java.io.FileOutputStream.open(Native Method)
    at java.io.FileOutputStream.<init>(FileOutputStream.java:212)
    at java.io.FileOutputStream.<init>(FileOutputStream.java:165)
    at org.owasp.dependencycheck.analyzer.ArchiveAnalyzer.extractFiles(ArchiveAnalyzer.java:277)
    ... 5 more
jeremylong commented 10 years ago

ATM, I am unable to replicate this. However, I have added code to 1.0.3-SNAPSHOT that attempts to detect the situation and re-instantiate that object.

eoftedal commented 10 years ago

Just upgraded to 1.0.4

[DependencyCheck] OWASP Dependency-Check Plugin v1.0.4
[DependencyCheck] Executing Dependency-Check analysis with the following options:
[DependencyCheck]  -name = appp_nyutvikling_dependency_check
[DependencyCheck]  -scanPath = /var/data/jenkins/jobs/app_nyutvikling_depcheck/workspace
[DependencyCheck]  -outputDirectory = /var/data/jenkins/jobs/app_nyutvikling_depcheck/workspace
[DependencyCheck]  -dataDirectory = /var/data/jenkins/jobs/app_nyutvikling_depcheck/workspace/dependency-check-data
[DependencyCheck]  -showEvidence = false
[DependencyCheck]  -format = XML
[DependencyCheck]  -autoUpdate = true
[DependencyCheck] Scanning: /var/data/jenkins/jobs/app_nyutvikling_depcheck/workspace
[DependencyCheck] Analyzing Dependencies
ERROR: Processing failed due to a bug in the code. Please report this to jenkinsci-users@googlegroups.com
java.lang.NullPointerException
    at org.owasp.dependencycheck.data.cpe.BaseIndex.close(BaseIndex.java:69)
    at org.owasp.dependencycheck.data.cpe.CpeIndexReader.close(CpeIndexReader.java:108)
    at org.owasp.dependencycheck.data.cpe.CpeIndexReader.search(CpeIndexReader.java:136)
    at org.owasp.dependencycheck.analyzer.CPEAnalyzer.searchCPE(CPEAnalyzer.java:272)
    at org.owasp.dependencycheck.analyzer.CPEAnalyzer.determineCPE(CPEAnalyzer.java:172)
    at org.owasp.dependencycheck.analyzer.CPEAnalyzer.analyze(CPEAnalyzer.java:488)
    at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:319)
    at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.executeDependencyCheck(DependencyCheckExecutor.java:95)
    at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.performBuild(DependencyCheckExecutor.java:72)
    at org.jenkinsci.plugins.DependencyCheck.DependencyCheckBuilder$1.call(DependencyCheckBuilder.java:168)
    at org.jenkinsci.plugins.DependencyCheck.DependencyCheckBuilder$1.call(DependencyCheckBuilder.java:165)
    at hudson.remoting.LocalChannel.call(LocalChannel.java:45)
    at org.jenkinsci.plugins.DependencyCheck.DependencyCheckBuilder.perform(DependencyCheckBuilder.java:165)
    at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
    at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:781)
    at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.build(MavenModuleSetBuild.java:886)
    at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.doRun(MavenModuleSetBuild.java:654)
    at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:562)
    at hudson.model.Run.execute(Run.java:1665)
    at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:507)
    at hudson.model.ResourceController.execute(ResourceController.java:88)
    at hudson.model.Executor.run(Executor.java:230)
project=hudson.maven.MavenModuleSet@4bd3371f[app_nyutvikling_dependency_check]
project.getModules()=[]
project.getRootModule()=null
FATAL: null
java.lang.NullPointerException
    at org.owasp.dependencycheck.data.cpe.BaseIndex.close(BaseIndex.java:69)
    at org.owasp.dependencycheck.data.cpe.CpeIndexReader.close(CpeIndexReader.java:108)
    at org.owasp.dependencycheck.data.cpe.CpeIndexReader.search(CpeIndexReader.java:136)
    at org.owasp.dependencycheck.analyzer.CPEAnalyzer.searchCPE(CPEAnalyzer.java:272)
    at org.owasp.dependencycheck.analyzer.CPEAnalyzer.determineCPE(CPEAnalyzer.java:172)
    at org.owasp.dependencycheck.analyzer.CPEAnalyzer.analyze(CPEAnalyzer.java:488)
    at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:319)
    at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.executeDependencyCheck(DependencyCheckExecutor.java:95)
    at org.jenkinsci.plugins.DependencyCheck.DependencyCheckExecutor.performBuild(DependencyCheckExecutor.java:72)
    at org.jenkinsci.plugins.DependencyCheck.DependencyCheckBuilder$1.call(DependencyCheckBuilder.java:168)
    at org.jenkinsci.plugins.DependencyCheck.DependencyCheckBuilder$1.call(DependencyCheckBuilder.java:165)
    at hudson.remoting.LocalChannel.call(LocalChannel.java:45)
    at org.jenkinsci.plugins.DependencyCheck.DependencyCheckBuilder.perform(DependencyCheckBuilder.java:165)
    at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
    at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:781)
    at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.build(MavenModuleSetBuild.java:886)
    at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.doRun(MavenModuleSetBuild.java:654)
    at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:562)
    at hudson.model.Run.execute(Run.java:1665)
    at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:507)
    at hudson.model.ResourceController.execute(ResourceController.java:88)
    at hudson.model.Executor.run(Executor.java:230)
eoftedal commented 10 years ago

Might be a proxy issue actually. Let me check

eoftedal commented 10 years ago

@jeremylong How do I set a proxy for the jenkins plugin?

jeremylong commented 10 years ago

Steve,

I'm not seeing a configuration option in the jenkins plugin to set the proxy url/port? Was one added and I can't find it? Or where you just thinking people would use the environment variables via -Dproxy.url and -Dproxy.port?

--Jeremy

On Sun, Oct 27, 2013 at 8:19 AM, Erlend Oftedal notifications@github.comwrote:

@jeremylong https://github.com/jeremylong How do I set a proxy for the jenkins plugin?

— Reply to this email directly or view it on GitHubhttps://github.com/jeremylong/DependencyCheck/issues/23#issuecomment-27167943 .

jeremylong commented 10 years ago

The proxy settings have not yet been added to the Jenkins plugin yet. I was actually waiting until I implemented proxy authentication in dependency-check-core before adding proxy support to the Jenkins plugin.

I just pushed support for proxy authentication to dependency-check-core, the command-line interface, along with the Ant task and Maven plugin. These will be available in the next release.

As for the Jenkins plugin, the proxy settings are global and are configured in the Jenkins Plugin Manager under the Advanced tab. This configuration supports a host, port, username and password.

Assuming the next release of Dependency-Check is 1.0.5, then that is the version of the Jenkins plugin that will support proxy configuration.

On Sun, Oct 27, 2013 at 7:30 AM, Jeremy Long jeremy.long@gmail.com wrote:

Steve,

I'm not seeing a configuration option in the jenkins plugin to set the proxy url/port? Was one added and I can't find it? Or where you just thinking people would use the environment variables via -Dproxy.url and -Dproxy.port?

--Jeremy

On Sun, Oct 27, 2013 at 8:19 AM, Erlend Oftedal notifications@github.comwrote:

@jeremylong https://github.com/jeremylong How do I set a proxy for the jenkins plugin?

— Reply to this email directly or view it on GitHubhttps://github.com/jeremylong/DependencyCheck/issues/23#issuecomment-27167943 .

jeremylong commented 10 years ago

I will finish an update to support tar.gz files and then push 1.0.5. I'm hoping I can get to this today, but due to other obligations this may end up getting postponed until next weekend.

Thanks Steve!

--Jeremy

On Sun, Oct 27, 2013 at 1:43 PM, Steve Springett steve@springett.us wrote:

The proxy settings have not yet been added to the Jenkins plugin yet. I was actually waiting until I implemented proxy authentication in dependency-check-core before adding proxy support to the Jenkins plugin.

I just pushed support for proxy authentication to dependency-check-core, the command-line interface, along with the Ant task and Maven plugin. These will be available in the next release.

As for the Jenkins plugin, the proxy settings are global and are configured in the Jenkins Plugin Manager under the Advanced tab. This configuration supports a host, port, username and password.

Assuming the next release of Dependency-Check is 1.0.5, then that is the version of the Jenkins plugin that will support proxy configuration.

On Sun, Oct 27, 2013 at 7:30 AM, Jeremy Long jeremy.long@gmail.comwrote:

Steve,

I'm not seeing a configuration option in the jenkins plugin to set the proxy url/port? Was one added and I can't find it? Or where you just thinking people would use the environment variables via -Dproxy.url and -Dproxy.port?

--Jeremy

On Sun, Oct 27, 2013 at 8:19 AM, Erlend Oftedal <notifications@github.com

wrote:

@jeremylong https://github.com/jeremylong How do I set a proxy for the jenkins plugin?

— Reply to this email directly or view it on GitHubhttps://github.com/jeremylong/DependencyCheck/issues/23#issuecomment-27167943 .

eoftedal commented 10 years ago

Ok, so the NullPointerException from my "Just upgraded to 1.0.4" occurs because it can't connect and download the files due to lack of proxy. And the zip-file doesn't cause problems anymore.

I guess you can close this bug, but I would suggest adding a better error message when it can't initially download the vulnerability database.

Thanks for looking into this though! I managed to make it work in jenkins by first running the cli version with proxy settings and then pointing jenkins to the same data-directory with updates disabled.

jeremylong commented 10 years ago

Thanks for the information. I will definitely improve the error messages for this situation. Also, when 1.0.5 is pushed (hopefully this weekend) you should be able to set the proxy in the Jenkins configuration. You currently can set the proxy information for earlier versions by setting environment/system variables for "proxy.url" and "proxy.port".

Best Regards,

Jeremy

On Tue, Oct 29, 2013 at 8:47 AM, Erlend Oftedal notifications@github.comwrote:

Ok, so the NullPointerException from my "Just upgraded to 1.0.4" occurs because it can't connect and download the files due to lack of proxy. And the zip-file doesn't cause problems anymore.

I guess you can close this bug, but I would suggest adding a better error message when it can't initially download the vulnerability database.

Thanks for looking into this though! I managed to make it work in jenkins by first running the cli version with proxy settings and then pointing jenkins to the same data-directory.

— Reply to this email directly or view it on GitHubhttps://github.com/jeremylong/DependencyCheck/issues/23#issuecomment-27299601 .

stevespringett commented 10 years ago

@eoftedal A minor release of the Jenkins plugin was just pushed out today. Version 1.0.4.1 supports the proxy server settings in Dependency-Check core v1.0.4. It's a global configuration in Jenkins so all builds regardless of where they're running on (master or slave) will use the settings. The proxy settings are in a weird place though. They're in the manage plugins page under the advanced tab. Currently only hostname and port are supported proxy parameters. Dependency-Check 1.0.5 along with the Jenkins plugin will support proxy authentication as well.

eoftedal commented 10 years ago

@stevespringett Thanks! I'll take a look

jeremylong commented 10 years ago

The core 1.0.5 library has been published and the jenkins plugin should be updated shortly by Steve. The NPE should be solved in the core library.

lock[bot] commented 5 years ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.