search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
5.96k stars 1.21k forks source link

NullPointerException: Cannot invoke "org.sonatype.goodies.packageurl.PackageUrl.toString()" because "coordinates" is null #4535

Closed nhenneaux closed 2 years ago

nhenneaux commented 2 years ago

Analysis failing since this morning with Sonatype OSS Index Analyzer

both dependency-check-maven:7.1.0 and dependency-check-maven:6.5.3 are impacted

May 25 06:25:11 [ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:aggregate (default) on project : One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during analysis:
May 25 06:25:11 [ERROR]     AnalysisException: Failed to request component-reports
May 25 06:25:11 [ERROR]         caused by NullPointerException: Cannot invoke "org.sonatype.goodies.packageurl.PackageUrl.toString()" because "coordinates" is null
casid commented 2 years ago

We're facing the same issue since this morning.

ryandutton commented 2 years ago

We're facing the same issue as well

ramonaEs commented 2 years ago

We have the same issue with 6.5.3 and 7.1.0 as well as 7.0.4.

foolproofit commented 2 years ago

Maybe it's related to some breaking changes in OSS index -> https://ossindex.sonatype.org/updates-notice

smeligrana commented 2 years ago

We have the same issue with 7.1.0 since this morning.

ramonaEs commented 2 years ago

Maybe it's related to some breaking changes in OSS index -> https://ossindex.sonatype.org/updates-notice

Could be as I receive the following error along the mentioned error:

AnalysisException: OSS Index rate limit exceeded
        caused by TransportException: Unexpected response; status: 429
rzo1 commented 2 years ago

We can confirm. Have the same issues with 7.1.0 and it is breaking our CI infrastructure.

[ERROR] AnalysisException: Failed to request component-reports
[ERROR] caused by NullPointerException: Cannot invoke "org.sonatype.goodies.packageurl.PackageUrl.toString()" because "coordinates" is null
[ERROR] AnalysisException: OSS Index rate limit exceeded
[ERROR] caused by TransportException: Unexpected response; status: 429
[ERROR] AnalysisException: OSS Index rate limit exceeded
Fynnyan commented 2 years ago

For mvn users, you can, for the moment, disable the OSS Index analyzer, add the following to your plugin configuration:

<ossindexAnalyzerEnabled>false</ossindexAnalyzerEnabled>

ryandutton commented 2 years ago

We use the cli and have disabled it with the --disableOssIndex flag

yannickdeturck commented 2 years ago

When using Maven, you can also skip it via the mvn command to avoid having to adapt your plugin configuration in the pom.xml:

mvn verify -DossindexAnalyzerEnabled=false
tbattisti commented 2 years ago

Same issue here with 7.1.0

Regginator94 commented 2 years ago

For gradle users you can disable OSS index by adding following line to your dependencycheck plugin: analyzers.ossIndexEnabled = false Checked with org.owasp.dependencycheck version "7.1.0.1"

antonilic commented 2 years ago

@Regginator94 hello, I have added analyzers.ossIndexEnabled = false to the dependencyCheck section in the gradle file:

dependencyCheck {
    failBuildOnCVSS=0
    analyzers.ossIndexEnabled = false
}

But I am getting some errors anyway:

An error occurred while analyzing '/var/folders/r3/[...]/check17952063436082747962tmp/332/jacocoagent.jar' (Sonatype OSS Index Analyzer).

And I am using the version 7.1.0.1 for the dependency check plugin:

id "org.owasp.dependencycheck" version "7.1.0.1"
antonilic commented 2 years ago

Ok it works now. 👍

quiram commented 2 years ago

As per https://github.com/jeremylong/DependencyCheck/issues/4538 it looks like the root cause is index rate limiting that can be bypassed by registering and providing credentials, so maybe one doesn't need to disable the analyser.

serkandemirel commented 2 years ago

It works by providing valid Sonatype credentials. Register at https://ossindex.sonatype.org/user/register.

For Maven users:

Specify a server in your Maven settings ~/.m2/settings.xml (default location)


<servers>
    <server>
        <id>SERVER_ID</id>
        <username>USERNAME</username>
        <password>PASSWORD_OR_API_TOKEN</password>
    </server>
</servers>

Configure the dependency-check-maven plugin in your pom.xml


<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <configuration>
        <ossIndexServerId>SERVER_ID</ossIndexServerId>
    </configuration>
</plugin>
j-s-3 commented 2 years ago

Hi All, Sonatype OSSI Product Manager here. Firstly, sorry that this caused you all trouble. The best path here is to make authenticated requests as not only will that increase your rate limit but will also provide you with the most complete/accurate data.

We are also investigating whether we can increase the anonymous rate limit specifically for Dependency Check and Dependency Track. I'll drop an update here later today.

nhenneaux commented 2 years ago

I don't think it was related to credentials as we were already providing OSS credentials for several months when I reported the issue this morning.

j-s-3 commented 2 years ago

Thanks @nhenneaux. We'll get this rolled back and then we can work together to make the necessary changes to dependency check to support the new IDs.

sysmat commented 2 years ago

For maven users, it helps with

<plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>7.1.0</version>
                <configuration>
                    <skipSystemScope>true</skipSystemScope>
                    <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
                    <ossindexAnalyzerEnabled>false</ossindexAnalyzerEnabled>
                    <reportSets>
                        <reportSet>
                            <reports>
                                <report>aggregate</report>
                            </reports>
                        </reportSet>
                    </reportSets>
                </configuration>
</plugin>
mr-andres-carvajal commented 2 years ago

Thanks @nhenneaux. We'll get this rolled back and then we can work together to make the necessary changes to dependency check to support the new IDs.

@jlstephens89 - Does this mean that we don't need to provide credentials? I still don't quite understand why providing the credentials has fixed it for us, and many here, yet some are reporting that it has not addressed their issue.

jeremylong commented 2 years ago

See https://github.com/jeremylong/DependencyCheck/issues/4539#issuecomment-1137183801

@jlstephens89 see my email about the missing coordinates in the API response causing an NPE...

j-s-3 commented 2 years ago

@jeremylong Thanks, well spotted. Looks like this is another bug. We're investigating now.

j-s-3 commented 2 years ago

Okay we've fixed the bug that was dropping the coordinates field and released. That should remove the NPE. We've hopefully also sorted the rate limit issue. It'd be great if someone could test and let me know.

norrs commented 2 years ago

@jlstephens89 Which tag/version? I'd happily test. Don't see anything newer than 7.1.0 here yet: https://github.com/jeremylong/DependencyCheck/releases

j-s-3 commented 2 years ago

@jlstephens89 Which tag/version? I'd happily test. Don't see anything newer than 7.1.0 here yet: https://github.com/jeremylong/DependencyCheck/releases

We've fixed it in OSSIndex itself so you shouldn't have to change your DependencyCheck version

nikonovd commented 2 years ago

After retrying after your fix, we receive now the following Error: java.lang.NullPointerException: Cannot invoke "java.net.URI.toString()" because the return value of "org.sonatype.ossindex.service.api.componentreport.ComponentReportVulnerability.getReference()" is null at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform (OssIndexAnalyzer.java:350) at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5 (OssIndexAnalyzer.java:256) at java.util.stream.ReferencePipeline$3$1.accept (ReferencePipeline.java:197) at java.util.ArrayList$ArrayListSpliterator.forEachRemaining (ArrayList.java:1625) at java.util.stream.AbstractPipeline.copyInto (AbstractPipeline.java:509) at java.util.stream.AbstractPipeline.wrapAndCopyInto (AbstractPipeline.java:499) at java.util.stream.ForEachOps$ForEachOp.evaluateSequential (ForEachOps.java:150) at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential (ForEachOps.java:173) at java.util.stream.AbstractPipeline.evaluate (AbstractPipeline.java:234) at java.util.stream.ReferencePipeline.forEachOrdered (ReferencePipeline.java:601) at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich (OssIndexAnalyzer.java:257) at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:163) at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131) at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88) at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37) at java.util.concurrent.FutureTask.run (FutureTask.java:264) at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1136) at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:635) at java.lang.Thread.run (Thread.java:833)

No credentials used at our side.

j-s-3 commented 2 years ago

After retrying after your fix, we receive now the following Error: java.lang.NullPointerException: Cannot invoke "java.net.URI.toString()" because the return value of "org.sonatype.ossindex.service.api.componentreport.ComponentReportVulnerability.getReference()" is null

No credentials used at our side.

Thanks @nikonovd, working on it.

norrs commented 2 years ago

@jlstephens89 Seems to be working for me on latest version. Tested both in our AWS pipeline running the OWASP scan and locally on my dev machine. Seem to have found a new identified vulnerability as well.

spring-security-crypto-5.7.1.jar: CVE-2020-5408(6.5).

Thanks.

edit: command issued: mvn -DskipTests=true --no-transfer-progress -Powasp clean org.owasp:dependency-check-maven:aggregate

our owasp profile:

 <profile>
        <id>owasp</id>
        <build>
          <plugins>
            <plugin>
              <groupId>org.owasp</groupId>
              <artifactId>dependency-check-maven</artifactId>
              <version>${org.owasp.dependency.version}</version>
              <configuration>
                <suppressionFiles>${project.monoBasePath}/alp-owasp-suppressions.xml</suppressionFiles>
                <failBuildOnCVSS>1</failBuildOnCVSS>
                <enableExperimental>true</enableExperimental>
                <yarnAuditAnalyzerEnabled>true</yarnAuditAnalyzerEnabled>
                <retireJsAnalyzerEnabled>true</retireJsAnalyzerEnabled>
                <!-- .Disable Net content-->
                <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
                <nugetconfAnalyzerEnabled>false</nugetconfAnalyzerEnabled>
                <nuspecAnalyzerEnabled>false</nuspecAnalyzerEnabled>
                <formats>
                  <format>ALL</format>
                </formats>
              </configuration>
              <executions>
                <execution>
                  <goals>
                    <goal>aggregate</goal>
                  </goals>
                </execution>
              </executions>
            </plugin>
          </plugins>
        </build>
        <dependencies>
          <dependency>
            <groupId>org.owasp</groupId>
            <artifactId>dependency-check-maven</artifactId>
            <version>${org.owasp.dependency.version}</version>
            <scope>test</scope>
          </dependency>
        </dependencies>
      </profile>
j-s-3 commented 2 years ago

@jlstephens89 Seems to be working for me on latest version. Tested both in our AWS pipeline running the OWASP scan and locally on my dev machine. Seem to have found a new identified vulnerability as well.

spring-security-crypto-5.7.1.jar: CVE-2020-5408(6.5).

Thanks.

@norrs That's great news

j-s-3 commented 2 years ago

After retrying after your fix, we receive now the following Error: java.lang.NullPointerException: Cannot invoke "java.net.URI.toString()" because the return value of "org.sonatype.ossindex.service.api.componentreport.ComponentReportVulnerability.getReference()" is null

No credentials used at our side.

Do you know which component this was against?

nikonovd commented 2 years ago

After retrying after your fix, we receive now the following Error: java.lang.NullPointerException: Cannot invoke "java.net.URI.toString()" because the return value of "org.sonatype.ossindex.service.api.componentreport.ComponentReportVulnerability.getReference()" is null No credentials used at our side.

Do you know which component this was against?

sorry, i updated the full stacktrace into my previous comment.

binoternary commented 2 years ago

I'm getting these errors:

Failed to fetch component-report for: pkg:maven/org.bouncycastle/bcprov-jdk15on@1.68
java.lang.NullPointerException
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:350)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5(OssIndexAnalyzer.java:256)
        at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
        at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655)
        at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
        at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
        at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
        at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
        at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.base/java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:502)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:257)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:163)
        at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at java.base/java.lang.Thread.run(Thread.java:829)
Failed to fetch component-report for: pkg:maven/xerces/xercesImpl@2.12.1
java.lang.NullPointerException
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:350)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5(OssIndexAnalyzer.java:256)
        at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
        at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655)
        at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
        at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
        at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
        at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
        at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.base/java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:502)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:257)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:163)
        at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at java.base/java.lang.Thread.run(Thread.java:829)
mr-andres-carvajal commented 2 years ago

Getting some errors, but the build is successful:

Failed to fetch component-report for: pkg:maven/io.github.classgraph/classgraph@4.8.60
java.lang.NullPointerException
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:339)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5(OssIndexAnalyzer.java:245)
        at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
        at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1384)
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
        at java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
        at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:490)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:246)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:158)
        at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Failed to fetch component-report for: pkg:maven/com.google.guava/guava@30.1-jre
java.lang.NullPointerException
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:339)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5(OssIndexAnalyzer.java:245)
        at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
        at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1384)
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
        at java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
        at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:490)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:246)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:158)
        at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Failed to fetch component-report for: pkg:maven/org.bouncycastle/bcprov-jdk15on@1.68
java.lang.NullPointerException
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:339)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5(OssIndexAnalyzer.java:245)
        at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
        at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1384)
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
        at java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
        at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:490)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:246)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:158)
        at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Failed to fetch component-report for: pkg:maven/xerces/xercesImpl@2.12.1
java.lang.NullPointerException
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:339)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5(OssIndexAnalyzer.java:245)
        at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
        at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1384)
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
        at java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
        at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:490)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:246)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:158)
        at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)

> Task :dependencyCheckAnalyze
Generating report for project test
Found 2 vulnerabilities in project test

One or more dependencies were identified with known vulnerabilities in test:

json-smart-2.3.jar (pkg:maven/net.minidev/json-smart@2.3, cpe:2.3:a:ini-parser_project:ini-parser:2.3:*:*:*:*:*:*:*, cpe:2.3:a:json-smart_project:json-smart-v2:2.3:*:*:*:*:*:*:*) : CVE-2021-31684
xercesImpl-2.12.1.jar (pkg:maven/xerces/xercesImpl@2.12.1) : CVE-2022-23437

See the dependency-check report for more details.

BUILD SUCCESSFUL in 1m 56s

Not getting those warnings if I use credentials on the gradle plugin

antonilic commented 2 years ago

I am getting the following:

Failed to fetch component-report for: pkg:maven/xerces/xercesImpl@2.12.0
java.lang.NullPointerException
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:350)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5(OssIndexAnalyzer.java:256)
        at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
        at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655)
        at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
        at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
        at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
        at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
        at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.base/java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:502)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:257)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:163)
        at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at java.base/java.lang.Thread.run(Thread.java:829)

One or more dependencies were identified with known vulnerabilities in example-app:

xercesImpl-2.12.0.jar (pkg:maven/xerces/xercesImpl@2.12.0) : CVE-2022-23437

and the build isn't successful.

hylkevds commented 2 years ago

Also getting those exceptions, for the packages:

[WARNING] Failed to fetch component-report for: pkg:maven/commons-codec/commons-codec@1.10
[WARNING] Failed to fetch component-report for: pkg:maven/commons-codec/commons-codec@1.11
[WARNING] Failed to fetch component-report for: pkg:maven/io.netty/netty-codec@4.1.53.Final
[WARNING] Failed to fetch component-report for: pkg:maven/io.netty/netty-handler@4.1.53.Final
[WARNING] Failed to fetch component-report for: pkg:maven/org.bouncycastle/bcprov-jdk15on@1.68
[WARNING] Failed to fetch component-report for: pkg:maven/org.geolatte/geolatte-geom@0.15
j-s-3 commented 2 years ago

Fix released and tested for the latest NPE's. Test again and let me know if there are any more issues (also super sorry to disrupt everyone's day!)

antonilic commented 2 years ago

@jlstephens89 thanks for your help but it still doesn't work in my case. I can still see the NPEs and it still raises some dependencies as vulnerable. If I disable the analyser it works ok, so no NPEs nor vulnerabilities.

Do I need to do anything in my gradle file? I am using the version 7.1.0.1 of the dependencycheck plugin.

doddi commented 2 years ago

@jlstephens89 thanks for your help but it still doesn't work in my case. I can still see the NPEs and it still raises some dependencies as vulnerable. If I disable the analyser it works ok, so no NPEs nor vulnerabilities.

Do I need to do anything in my gradle file? I am using the version 7.1.0.1 of the dependencycheck plugin.

@antonilic you should not need to make any changes to your build file, it is all changes on OSSIndex. Can you provide a strack trace? Its possibly now related to your cache (see https://github.com/jeremylong/DependencyCheck/issues/4527#issuecomment-1137290349). Can you provide a stack trace again?

antonilic commented 2 years ago

Hello, thanks for the comment. I have provided a stack trace in a comment above:

https://github.com/jeremylong/DependencyCheck/issues/4535#issuecomment-1137269719

heidenthal commented 2 years ago

@jlstephens89, I too am still seeing errors

Failed to fetch component-report for: pkg:maven/org.glassfish.jersey.core/jersey-common@2.5.1 java.lang.NullPointerException at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:350) at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5(OssIndexAnalyzer.java:256) at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195) at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655) at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150) at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173) at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) at java.base/java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:502) at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:257) at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:163) at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131) at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88) at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:829)

norrs commented 2 years ago

@jlstephens89 I mentioned earlier that it found a new security issue, I looked a bit closer into it and it seems to be a false report: https://github.com/jeremylong/DependencyCheck/issues/4528#issuecomment-1136062589 . Related to these updates that are happening now to use your new databases?

Because 5.7.1 doesn't match the vulnerable version numbers as mentioned in the CVE-2020-5408 or json record you can view at cve.org.

EDIT: Might be a separate issue than this, and you can disregard this comment here and handle it in #4528 I suppose.

nhenneaux commented 2 years ago

I have just tested one pipeline on my side and it works now, thanks for quick feedback and fixes @jlstephens89 @jeremylong !! :pray: I'm still waiting reports from all pipelines but it is progressing thanks for that!

j-s-3 commented 2 years ago

@jlstephens89 I mentioned earlier that it found a new security issue, I looked a bit closer into it and it seems to be a false report: #4528 (comment) . Related to these updates that are happening now to use your new databases?

Because 5.7.1 doesn't match the vulnerable version numbers as mentioned in the CVE-2020-5408 or json record you can view at cve.org.

@norrs Its more likely that our research team have found that the public CVE information is incorrect. Our team of researchers go much deeper than anything else that is publicly available. Email me privately at jstephens@sonatype.com with the component and CVE information and I'll pass it on to the research team to double check for you and get you some more information.

norrs commented 2 years ago

@jlstephens89 I mentioned earlier that it found a new security issue, I looked a bit closer into it and it seems to be a false report: #4528 (comment) . Related to these updates that are happening now to use your new databases?

Because 5.7.1 doesn't match the vulnerable version numbers as mentioned in the CVE-2020-5408 or json record you can view at cve.org.

@jlstephens89: After supressing the found vulnerability, I still get a warning with NPE, But org.owasp:dependency-check-maven:aggregate report runs successfully tho.

Log:

[INFO] Analysis Started
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (0 seconds)
[INFO] Finished Node.js Package Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (0 seconds)
[INFO] Finished NPM CPE Analyzer (0 seconds)
[INFO] Created CPE Index (0 seconds)
[INFO] Finished CPE Analyzer (1 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished RetireJS Analyzer (16 seconds)
[WARNING] Failed to fetch component-report for: pkg:maven/javax.mail/mail@1.5.0-b01
java.lang.NullPointerException
    at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform (OssIndexAnalyzer.java:350)
    at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5 (OssIndexAnalyzer.java:256)
    at java.util.stream.ReferencePipeline$3$1.accept (ReferencePipeline.java:195)
    at java.util.ArrayList$ArrayListSpliterator.forEachRemaining (ArrayList.java:1655)
    at java.util.stream.AbstractPipeline.copyInto (AbstractPipeline.java:484)
    at java.util.stream.AbstractPipeline.wrapAndCopyInto (AbstractPipeline.java:474)
    at java.util.stream.ForEachOps$ForEachOp.evaluateSequential (ForEachOps.java:150)
    at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential (ForEachOps.java:173)
    at java.util.stream.AbstractPipeline.evaluate (AbstractPipeline.java:234)
    at java.util.stream.ReferencePipeline.forEachOrdered (ReferencePipeline.java:502)
    at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich (OssIndexAnalyzer.java:257)
    at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:163)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run (FutureTask.java:264)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
    at java.lang.Thread.run (Thread.java:834)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (19 seconds)
[INFO] Writing report to: /*snip*/unit/alp/target/dependency-check-report.xml
[INFO] Writing report to: /*snip*/unit/alp/target/dependency-check-report.html
[INFO] Writing report to: /*snip*/unit/alp/target/dependency-check-report.json
[INFO] Writing report to: /*snip*/unit/alp/target/dependency-check-report.csv
[INFO] Writing report to: /*snip*/unit/alp/target/dependency-check-report.sarif
[INFO] Writing report to: /*snip*/unit/alp/target/dependency-check-junit.xml
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO] 
[INFO] alp 1.0-SNAPSHOT ................................... SUCCESS [ 29.271 s]
*snip*
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  29.574 s
[INFO] Finished at: 2022-05-25T17:45:13+02:00

Do you want us to keep reporting the NPEs of artifacts we find in our builds? Or create new separate issue for each of em?

:thinking: This might be another error than the given issue title.

j-s-3 commented 2 years ago

@norrs Thanks, that one has been reported a few times now and we're looking at it. Think we're getting to the bottom of this one NPE at a time. Hopefully this is the last 😅

j-s-3 commented 2 years ago

@norrs can you test again now please?

norrs commented 2 years ago

@jlstephens89 Still NPE warning on: Failed to fetch component-report for: pkg:maven/javax.mail/mail@1.5.0-b01 java.lang.NullPointerException

EDIT: tried again at 26.may 12:36 CEST , still get the following stacktrace:

[WARNING] Failed to fetch component-report for: pkg:maven/javax.mail/mail@1.5.0-b01
java.lang.NullPointerException
    at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform (OssIndexAnalyzer.java:350)
    at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5 (OssIndexAnalyzer.java:256)
    at java.util.stream.ReferencePipeline$3$1.accept (ReferencePipeline.java:195)
    at java.util.ArrayList$ArrayListSpliterator.forEachRemaining (ArrayList.java:1655)
    at java.util.stream.AbstractPipeline.copyInto (AbstractPipeline.java:484)
    at java.util.stream.AbstractPipeline.wrapAndCopyInto (AbstractPipeline.java:474)
    at java.util.stream.ForEachOps$ForEachOp.evaluateSequential (ForEachOps.java:150)
    at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential (ForEachOps.java:173)
    at java.util.stream.AbstractPipeline.evaluate (AbstractPipeline.java:234)
    at java.util.stream.ReferencePipeline.forEachOrdered (ReferencePipeline.java:502)
    at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich (OssIndexAnalyzer.java:257)
    at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:163)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run (FutureTask.java:264)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
    at java.lang.Thread.run (Thread.java:834)

Latest 7.1.0 release of dependency-check.

hylkevds commented 2 years ago

Also still failing on:

doddi commented 2 years ago

@hylkevds onec again apologies for not getting to the bottom of this sooner. Could I ask you to try again, I have made some changes that should hopefully take care of NPE. If this is not fixed for you, could I ask you to provide a stacktrace and the version of DependencyCheck you are using