search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
5.96k stars 1.21k forks source link

NPE during aggregate check in a multi module project #3679

Closed ST-DDT closed 2 years ago

ST-DDT commented 2 years ago

Describe the bug

NPE during aggregate check in a multi module project

Version of dependency-check used

Maven-Plugin:

Log file

Stacktrace (Click to expand) ````txt [ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.3.2:aggregate (aggregate) on project gui-base: Execution aggregate of goal org.owasp:dependency-check-maven:6.3.2:aggregate failed.: NullPointerException -> [Help 1] org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.owasp:dependency-check-maven:6.3.2:aggregate (aggregate) on project gui-base: Execution aggregate of goal org.owasp:dependency-check-maven:6.3.2:aggregate failed. at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289) at org.apache.maven.cli.MavenCli.main (MavenCli.java:193) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:566) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347) Caused by: org.apache.maven.plugin.PluginExecutionException: Execution aggregate of goal org.owasp:dependency-check-maven:6.3.2:aggregate failed. at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:148) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289) at org.apache.maven.cli.MavenCli.main (MavenCli.java:193) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:566) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347) Caused by: java.lang.NullPointerException at org.apache.maven.shared.artifact.filter.resolve.transform.EclipseAetherFilterTransformer$2.accept (EclipseAetherFilterTransformer.java:152) at org.eclipse.aether.util.filter.AndDependencyFilter.accept (AndDependencyFilter.java:83) at org.eclipse.aether.util.filter.OrDependencyFilter.accept (OrDependencyFilter.java:81) at org.eclipse.aether.util.graph.visitor.FilteringDependencyVisitor.visitEnter (FilteringDependencyVisitor.java:80) at org.eclipse.aether.util.graph.visitor.TreeDependencyVisitor.visitEnter (TreeDependencyVisitor.java:67) at org.eclipse.aether.graph.DefaultDependencyNode.accept (DefaultDependencyNode.java:343) at org.eclipse.aether.internal.impl.DefaultRepositorySystem.resolveDependencies (DefaultRepositorySystem.java:332) at org.apache.maven.shared.transfer.dependencies.resolve.internal.Maven31DependencyResolver.resolveDependencies (Maven31DependencyResolver.java:216) at org.apache.maven.shared.transfer.dependencies.resolve.internal.Maven31DependencyResolver.resolveDependencies (Maven31DependencyResolver.java:198) at org.apache.maven.shared.transfer.dependencies.resolve.internal.DefaultDependencyResolver.resolveDependencies (DefaultDependencyResolver.java:60) at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.collectMavenDependencies (BaseDependencyCheckMojo.java:1328) at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.collectDependencies (BaseDependencyCheckMojo.java:1467) at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.scanArtifacts (BaseDependencyCheckMojo.java:1114) at org.owasp.dependencycheck.maven.AggregateMojo.scanDependencies (AggregateMojo.java:73) at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1719) at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:966) at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289) at org.apache.maven.cli.MavenCli.main (MavenCli.java:193) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:566) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347) [ERROR] [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/PluginExecutionException ````

To Reproduce

Run the aggregate goal in a multi module project.

Expected behavior

No exception

Additional context Add any other context about the problem here.

vveider commented 2 years ago

Confirm NPE in aggregate, downgraded to 6.3.1 version

OrangeDog commented 2 years ago

Nothing to do with aggregates or multi-module. I get the same NPE stacktrace running check on a single regular project.

mkemmerz commented 2 years ago

I can confirm this issue as well. We also get the NPE in the 6.3.2.

KaVeKa commented 2 years ago

Can confirm this too. When upgrading from 6.3.1 to 6.3.2, this NPE occurs.

viktor-thell-seal commented 2 years ago

Same problem here, guessing it is caused by changes introduced by https://github.com/jeremylong/DependencyCheck/pull/3627

jeremylong commented 2 years ago

Can anyone provide a sample pom.xml and version of maven that is having this issue?

acanda commented 2 years ago

I ran into the same issue. The branch bug/dependency-check-maven-6.3.2-npe of the repository acanda/spring-banner-plugin contains a small Maven project that reproduces the issue when you run mvn clean verify -X. The NPE does not occur with 6.3.1.

The NPE occurs with both Maven 3.6.3 and 3.8.2:

> mvn -version
Apache Maven 3.6.3 (cecedd343002696d0abb50b32b541b8a6ba2883f)
Maven home: /c/Program Files/Maven/maven-3.6.3
Java version: 11.0.6, vendor: AdoptOpenJDK, runtime: /usr/lib/jvm/adoptopenjdk-11-hotspot-amd64
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "4.4.0-19041-microsoft", arch: "amd64", family: "unix"
> mvn -version
Apache Maven 3.8.2 (ea98e05a04480131370aa0c110b8c54cf726c06f)
Maven home: /c/Program Files/Maven/maven-3.8.2
Java version: 11.0.6, vendor: AdoptOpenJDK, runtime: /usr/lib/jvm/adoptopenjdk-11-hotspot-amd64
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "4.4.0-19041-microsoft", arch: "amd64", family: "unix"
aikebah commented 2 years ago

@jeremylong I'll have a look at this

aikebah commented 2 years ago

Appears to have its root-cause triggered by dependencies with classifiers. The culprit in spring-banner-plugin is for com.google.inject:guice:jar:no_aop:4.2.2, all other dependencies of the project have group:artifact:extension:version and succeed without NPE.

aikebah commented 2 years ago

It breaks at the project-level dependency-node which is represented by a null-artifact DependencyNode with children, not sure whether Maven project would expect the project node to be offered to the resolver. It appears to at least not have been tested like with a filter for a classifier as the NPE is deep down in the maven shared utilities.

aikebah commented 2 years ago

Fairly certain this is a bug in the maven shared utilities that's biting us with the transition to the maven DependencyResolver in order to properly process maven repositories in the dependency-tree.

aikebah commented 2 years ago

Registered https://issues.apache.org/jira/browse/MSHARED-998

carlmolemans commented 2 years ago

Can we revert this until the fix in maven shared components is available? Apart from that, this is introduces a breaking change and in my opinion should not just bump the patch version of this plugin.

aikebah commented 2 years ago

It's only a breaking change because the maven resolution is breaking. The change itself is a bugfix for a regression bug in 6.3: #3626. Unfortunately apparently none of our test-cases included a (direct or transitive) dependency with a classifier which made this bug surface only in the wild.

viktor-thell-seal commented 2 years ago

@aikebah Great work digging in to this. Do you have any experience with how long time getting bugs fixed in Maven shared utilities might take? Also will you add a test for this to ensure dependencies with classifiers work in the future?

aikebah commented 2 years ago

@viktor-thell-seal Definitely want to include a test to ensure this doesn't surface again in future. Still looking to see if we can change our internal resolution approach to mitigate the issue without requiring a fix in the maven shared utilities. No experience on my side regarding timelines for a fix in maven.

aikebah commented 2 years ago

Found a work-around that makes at least the sample project @acanda shared pass. Running some final validations to see if the new testcase properly breaks at this issue without the patch and when succeeding expect to file a PR later tonight for review by @jeremylong.

jeremylong commented 2 years ago

The fix will be released - hopefully Friday morning (US Eastern).

ghost commented 2 years ago

Could you leave this issue open untill it is solved? I ran into the same issue and could not find this ticket. Probably many others will experience the same.

alexvanmanen commented 2 years ago

released

Is it already solved? I ran in the same issue

jeremylong commented 2 years ago

The fix will be in the next release - just finishing up testing.

m2ger commented 2 years ago

Had the same NPE with 6.3.2; updated dependency-check-maven plugin version to 6.4.1 and can confirm this is no more an issue here.

            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>6.4.1</version>
                <reportSets>
                    <reportSet>
                        <reports>
                            <report>aggregate</report>
                        </reports>
                    </reportSet>
                </reportSets>
            </plugin>
ghost commented 2 years ago

Can confirm that 6.4.1 works. Thank you

vveider commented 2 years ago

I too do confirm that 6.4.1 fixed the issue.