Closed ST-DDT closed 2 years ago
Confirm NPE in aggregate, downgraded to 6.3.1 version
Nothing to do with aggregates or multi-module. I get the same NPE stacktrace running check on a single regular project.
I can confirm this issue as well. We also get the NPE in the 6.3.2.
Can confirm this too. When upgrading from 6.3.1 to 6.3.2, this NPE occurs.
Same problem here, guessing it is caused by changes introduced by https://github.com/jeremylong/DependencyCheck/pull/3627
Can anyone provide a sample pom.xml and version of maven that is having this issue?
I ran into the same issue. The branch bug/dependency-check-maven-6.3.2-npe
of the repository acanda/spring-banner-plugin contains a small Maven project that reproduces the issue when you run mvn clean verify -X
. The NPE does not occur with 6.3.1.
The NPE occurs with both Maven 3.6.3 and 3.8.2:
> mvn -version
Apache Maven 3.6.3 (cecedd343002696d0abb50b32b541b8a6ba2883f)
Maven home: /c/Program Files/Maven/maven-3.6.3
Java version: 11.0.6, vendor: AdoptOpenJDK, runtime: /usr/lib/jvm/adoptopenjdk-11-hotspot-amd64
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "4.4.0-19041-microsoft", arch: "amd64", family: "unix"
> mvn -version
Apache Maven 3.8.2 (ea98e05a04480131370aa0c110b8c54cf726c06f)
Maven home: /c/Program Files/Maven/maven-3.8.2
Java version: 11.0.6, vendor: AdoptOpenJDK, runtime: /usr/lib/jvm/adoptopenjdk-11-hotspot-amd64
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "4.4.0-19041-microsoft", arch: "amd64", family: "unix"
@jeremylong I'll have a look at this
Appears to have its root-cause triggered by dependencies with classifiers. The culprit in spring-banner-plugin is for com.google.inject:guice:jar:no_aop:4.2.2
, all other dependencies of the project have group:artifact:extension:version
and succeed without NPE.
It breaks at the project-level dependency-node which is represented by a null-artifact DependencyNode with children, not sure whether Maven project would expect the project node to be offered to the resolver. It appears to at least not have been tested like with a filter for a classifier as the NPE is deep down in the maven shared utilities.
Fairly certain this is a bug in the maven shared utilities that's biting us with the transition to the maven DependencyResolver in order to properly process maven repositories in the dependency-tree.
Can we revert this until the fix in maven shared components is available? Apart from that, this is introduces a breaking change and in my opinion should not just bump the patch version of this plugin.
It's only a breaking change because the maven resolution is breaking. The change itself is a bugfix for a regression bug in 6.3: #3626. Unfortunately apparently none of our test-cases included a (direct or transitive) dependency with a classifier which made this bug surface only in the wild.
@aikebah Great work digging in to this. Do you have any experience with how long time getting bugs fixed in Maven shared utilities might take? Also will you add a test for this to ensure dependencies with classifiers work in the future?
@viktor-thell-seal Definitely want to include a test to ensure this doesn't surface again in future. Still looking to see if we can change our internal resolution approach to mitigate the issue without requiring a fix in the maven shared utilities. No experience on my side regarding timelines for a fix in maven.
Found a work-around that makes at least the sample project @acanda shared pass. Running some final validations to see if the new testcase properly breaks at this issue without the patch and when succeeding expect to file a PR later tonight for review by @jeremylong.
The fix will be released - hopefully Friday morning (US Eastern).
Could you leave this issue open untill it is solved? I ran into the same issue and could not find this ticket. Probably many others will experience the same.
released
Is it already solved? I ran in the same issue
The fix will be in the next release - just finishing up testing.
Had the same NPE with 6.3.2; updated dependency-check-maven plugin version to 6.4.1 and can confirm this is no more an issue here.
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>6.4.1</version>
<reportSets>
<reportSet>
<reports>
<report>aggregate</report>
</reports>
</reportSet>
</reportSets>
</plugin>
Can confirm that 6.4.1 works. Thank you
I too do confirm that 6.4.1 fixed the issue.
Describe the bug
NPE during aggregate check in a multi module project
Version of dependency-check used
Maven-Plugin:
Log file
Stacktrace (Click to expand)
````txt [ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.3.2:aggregate (aggregate) on project gui-base: Execution aggregate of goal org.owasp:dependency-check-maven:6.3.2:aggregate failed.: NullPointerException -> [Help 1] org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.owasp:dependency-check-maven:6.3.2:aggregate (aggregate) on project gui-base: Execution aggregate of goal org.owasp:dependency-check-maven:6.3.2:aggregate failed. at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289) at org.apache.maven.cli.MavenCli.main (MavenCli.java:193) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:566) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347) Caused by: org.apache.maven.plugin.PluginExecutionException: Execution aggregate of goal org.owasp:dependency-check-maven:6.3.2:aggregate failed. at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:148) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289) at org.apache.maven.cli.MavenCli.main (MavenCli.java:193) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:566) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347) Caused by: java.lang.NullPointerException at org.apache.maven.shared.artifact.filter.resolve.transform.EclipseAetherFilterTransformer$2.accept (EclipseAetherFilterTransformer.java:152) at org.eclipse.aether.util.filter.AndDependencyFilter.accept (AndDependencyFilter.java:83) at org.eclipse.aether.util.filter.OrDependencyFilter.accept (OrDependencyFilter.java:81) at org.eclipse.aether.util.graph.visitor.FilteringDependencyVisitor.visitEnter (FilteringDependencyVisitor.java:80) at org.eclipse.aether.util.graph.visitor.TreeDependencyVisitor.visitEnter (TreeDependencyVisitor.java:67) at org.eclipse.aether.graph.DefaultDependencyNode.accept (DefaultDependencyNode.java:343) at org.eclipse.aether.internal.impl.DefaultRepositorySystem.resolveDependencies (DefaultRepositorySystem.java:332) at org.apache.maven.shared.transfer.dependencies.resolve.internal.Maven31DependencyResolver.resolveDependencies (Maven31DependencyResolver.java:216) at org.apache.maven.shared.transfer.dependencies.resolve.internal.Maven31DependencyResolver.resolveDependencies (Maven31DependencyResolver.java:198) at org.apache.maven.shared.transfer.dependencies.resolve.internal.DefaultDependencyResolver.resolveDependencies (DefaultDependencyResolver.java:60) at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.collectMavenDependencies (BaseDependencyCheckMojo.java:1328) at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.collectDependencies (BaseDependencyCheckMojo.java:1467) at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.scanArtifacts (BaseDependencyCheckMojo.java:1114) at org.owasp.dependencycheck.maven.AggregateMojo.scanDependencies (AggregateMojo.java:73) at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1719) at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:966) at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289) at org.apache.maven.cli.MavenCli.main (MavenCli.java:193) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:566) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347) [ERROR] [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/PluginExecutionException ````To Reproduce
Run the aggregate goal in a multi module project.
Expected behavior
No exception
Additional context Add any other context about the problem here.