search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.32k stars 1.26k forks source link

java.lang.NullPointerException #5579

Closed mhienle closed 1 year ago

mhienle commented 1 year ago

Describe the bug Similar to #5144, we observe a NullPointerException when scanning a dotnet project. However, in our project file, no Remove attribute is present.

Version of dependency-check used The problem occurs using version 8.2.0 of the cli. The problem does not occur using version 8.1.2 of the cli.

Log file slightly redacted log output when using v8.2.0

[INFO] Analysis Started
[INFO] Finished File Name Analyzer (0 seconds)
[WARN] An error occurred while analyzing '/data/jenkins/workspace/redacted.csproj' (MSBuild Project Analyzer).
[INFO] Finished MSBuild Project Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (1 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[WARN] Unable to determine Package-URL identifiers for 1 dependencies
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Known Exploited Vulnerability Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Finished Unused Suppression Rule Analyzer (0 seconds)
[INFO] Analysis Complete (1 seconds)
[INFO] Writing report to: /data/jenkins/workspace/redacted/depcheck/dependency-check-junit.xml
[INFO] Writing report to: /data/jenkins/workspace/redacted/depcheck/dependency-check-report.html
[INFO] Writing report to: /data/jenkins/workspace/redacted/depcheck/dependency-check-report.xml
[ERROR] java.lang.NullPointerException

csproj file

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net7.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="CommandLineParser" Version="2.9.1" />
    <PackageReference Include="FluentMigrator" Version="3.3.2" />
    <PackageReference Include="FluentMigrator.Runner" Version="3.3.2" />
    <PackageReference Include="FluentMigrator.Runner.Postgres" Version="3.3.2" />
    <PackageReference Include="Npgsql" Version="7.0.2" />
    <PackageReference Include="System.Drawing.Common" Version="7.0.0" />
  </ItemGroup>
</Project>

To Reproduce n/a

Expected behavior No exception is thrown.

Additional context n/a

jeremylong commented 1 year ago

duplicate of #5578. Any chance you can provide an actual log file? --log odc.log?

jeremylong commented 1 year ago

We need more of the stack trace following the NPE.

mhienle commented 1 year ago

Thanks for the fast response. Here is a redacted log file.

----------------------------------------------------
BEGIN ANALYSIS
----------------------------------------------------
2023-03-22 12:55:14,568 org.owasp.dependencycheck.Engine:650
INFO  - Analysis Started
2023-03-22 12:55:14,568 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing Archive Analyzer
2023-03-22 12:55:14,568 org.owasp.dependencycheck.Engine:675
DEBUG - Skipping Archive Analyzer (not enabled)
2023-03-22 12:55:14,568 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing Ruby Bundle Audit Analyzer
2023-03-22 12:55:14,569 org.owasp.dependencycheck.Engine:675
DEBUG - Skipping Ruby Bundle Audit Analyzer (not enabled)
2023-03-22 12:55:14,569 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing File Name Analyzer
2023-03-22 12:55:14,569 org.owasp.dependencycheck.Engine:758
DEBUG - Starting File Name Analyzer
2023-03-22 12:55:14,570 org.owasp.dependencycheck.Engine:806
DEBUG - Parallel processing with up to 16 threads: File Name Analyzer.
2023-03-22 12:55:14,572 org.owasp.dependencycheck.AnalysisTask:86
DEBUG - Begin Analysis of '/data/jenkins/workspace/redacted.csproj' (File Name Analyzer)
2023-03-22 12:55:14,577 org.owasp.dependencycheck.Engine:673
INFO  - Finished File Name Analyzer (0 seconds)
2023-03-22 12:55:14,578 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing Jar Analyzer
2023-03-22 12:55:14,578 org.owasp.dependencycheck.Engine:675
DEBUG - Skipping Jar Analyzer (not enabled)
2023-03-22 12:55:14,579 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing Central Analyzer
2023-03-22 12:55:14,579 org.owasp.dependencycheck.Engine:675
DEBUG - Skipping Central Analyzer (not enabled)
2023-03-22 12:55:14,579 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing Nexus Analyzer
2023-03-22 12:55:14,579 org.owasp.dependencycheck.analyzer.AbstractAnalyzer:104
DEBUG - Nexus Analyzer has been disabled
2023-03-22 12:55:14,579 org.owasp.dependencycheck.Engine:675
DEBUG - Skipping Nexus Analyzer (not enabled)
2023-03-22 12:55:14,579 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing Artifactory Analyzer
2023-03-22 12:55:14,579 org.owasp.dependencycheck.analyzer.AbstractAnalyzer:104
DEBUG - Artifactory Analyzer has been disabled
2023-03-22 12:55:14,579 org.owasp.dependencycheck.Engine:675
DEBUG - Skipping Artifactory Analyzer (not enabled)
2023-03-22 12:55:14,579 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing Nuspec Analyzer
2023-03-22 12:55:14,579 org.owasp.dependencycheck.Engine:675
DEBUG - Skipping Nuspec Analyzer (not enabled)
2023-03-22 12:55:14,579 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing Nugetconf Analyzer
2023-03-22 12:55:14,579 org.owasp.dependencycheck.Engine:675
DEBUG - Skipping Nugetconf Analyzer (not enabled)
2023-03-22 12:55:14,579 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing MSBuild Project Analyzer
2023-03-22 12:55:14,579 org.owasp.dependencycheck.Engine:758
DEBUG - Starting MSBuild Project Analyzer
2023-03-22 12:55:14,580 org.owasp.dependencycheck.Engine:806
DEBUG - Parallel processing with up to 16 threads: MSBuild Project Analyzer.
2023-03-22 12:55:14,580 org.owasp.dependencycheck.AnalysisTask:86
DEBUG - Begin Analysis of '/data/jenkins/workspace/redacted.csproj' (MSBuild Project Analyzer)
2023-03-22 12:55:14,580 org.owasp.dependencycheck.AnalysisTask:90
WARN  - An error occurred while analyzing '/data/jenkins/workspace/redacted.csproj' (MSBuild Project Analyzer).
2023-03-22 12:55:14,582 org.owasp.dependencycheck.AnalysisTask:91
DEBUG - 
org.owasp.dependencycheck.analyzer.exception.AnalysisException: java.lang.NullPointerException
    at org.owasp.dependencycheck.analyzer.MSBuildProjectAnalyzer.analyzeDependency(MSBuildProjectAnalyzer.java:210)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.lang.NullPointerException: null
    at org.owasp.dependencycheck.analyzer.MSBuildProjectAnalyzer.loadDirectoryBuildProps(MSBuildProjectAnalyzer.java:231)
    at org.owasp.dependencycheck.analyzer.MSBuildProjectAnalyzer.analyzeDependency(MSBuildProjectAnalyzer.java:143)
    ... 7 common frames omitted
2023-03-22 12:55:14,583 org.owasp.dependencycheck.Engine:673
INFO  - Finished MSBuild Project Analyzer (0 seconds)
2023-03-22 12:55:14,583 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing Assembly Analyzer
2023-03-22 12:55:14,583 org.owasp.dependencycheck.analyzer.AbstractAnalyzer:104
DEBUG - Assembly Analyzer has been disabled
2023-03-22 12:55:14,583 org.owasp.dependencycheck.Engine:675
DEBUG - Skipping Assembly Analyzer (not enabled)
2023-03-22 12:55:14,583 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing OpenSSL Source Analyzer
2023-03-22 12:55:14,583 org.owasp.dependencycheck.Engine:675
DEBUG - Skipping OpenSSL Source Analyzer (not enabled)
2023-03-22 12:55:14,583 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing Node.js Package Analyzer
2023-03-22 12:55:14,583 org.owasp.dependencycheck.Engine:675
DEBUG - Skipping Node.js Package Analyzer (not enabled)
2023-03-22 12:55:14,583 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing Dependency Merging Analyzer
2023-03-22 12:55:14,583 org.owasp.dependencycheck.Engine:758
DEBUG - Starting Dependency Merging Analyzer
2023-03-22 12:55:14,583 org.owasp.dependencycheck.Engine:809
DEBUG - Parallel processing is not supported: Dependency Merging Analyzer.
2023-03-22 12:55:14,584 org.owasp.dependencycheck.AnalysisTask:86
DEBUG - Begin Analysis of '/data/jenkins/workspace/redacted.csproj' (Dependency Merging Analyzer)
2023-03-22 12:55:14,584 org.owasp.dependencycheck.Engine:673
INFO  - Finished Dependency Merging Analyzer (0 seconds)
2023-03-22 12:55:14,585 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing Version Filter Analyzer
2023-03-22 12:55:14,585 org.owasp.dependencycheck.Engine:758
DEBUG - Starting Version Filter Analyzer
2023-03-22 12:55:14,585 org.owasp.dependencycheck.Engine:806
DEBUG - Parallel processing with up to 16 threads: Version Filter Analyzer.
2023-03-22 12:55:14,585 org.owasp.dependencycheck.AnalysisTask:86
DEBUG - Begin Analysis of '/data/jenkins/workspace/redacted.csproj' (Version Filter Analyzer)
2023-03-22 12:55:14,586 org.owasp.dependencycheck.Engine:673
INFO  - Finished Version Filter Analyzer (0 seconds)
2023-03-22 12:55:14,586 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing Hint Analyzer
2023-03-22 12:55:14,663 org.owasp.dependencycheck.analyzer.HintAnalyzer:333
DEBUG - 50 hint rules were loaded.
2023-03-22 12:55:14,664 org.owasp.dependencycheck.analyzer.HintAnalyzer:334
DEBUG - 6 duplicating hint rules were loaded.
2023-03-22 12:55:14,664 org.owasp.dependencycheck.Engine:758
DEBUG - Starting Hint Analyzer
2023-03-22 12:55:14,664 org.owasp.dependencycheck.Engine:806
DEBUG - Parallel processing with up to 16 threads: Hint Analyzer.
2023-03-22 12:55:14,665 org.owasp.dependencycheck.AnalysisTask:86
DEBUG - Begin Analysis of '/data/jenkins/workspace/redacted.csproj' (Hint Analyzer)
2023-03-22 12:55:14,666 org.owasp.dependencycheck.Engine:673
INFO  - Finished Hint Analyzer (0 seconds)
2023-03-22 12:55:14,667 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing CPE Analyzer
2023-03-22 12:55:16,451 org.owasp.dependencycheck.analyzer.CPEAnalyzer:231
INFO  - Created CPE Index (1 seconds)
2023-03-22 12:55:16,451 org.owasp.dependencycheck.analyzer.CPEAnalyzer:206
DEBUG - Skipping CPE Analysis for npm
2023-03-22 12:55:16,559 org.owasp.dependencycheck.utils.Settings:1180
DEBUG - Settings.getDataFile() - file: '/var/cache/dependency-check-data'
2023-03-22 12:55:16,559 org.owasp.dependencycheck.utils.Settings:1180
DEBUG - Settings.getDataFile() - file: '/var/cache/dependency-check-data'
2023-03-22 12:55:16,585 org.owasp.dependencycheck.utils.WriteLock:168
DEBUG - Lock file created (main) 761457e8bf1a1bd525f274e11f9bb34f @ 2023-03-22 12:55:16.585
2023-03-22 12:55:16,587 org.owasp.dependencycheck.analyzer.AbstractSuppressionAnalyzer:285
DEBUG - copying hosted suppressions file /var/cache/dependency-check-data/publishedSuppressions.xml to /tmp/dc-basesuppressions1510884309446242133.xml
2023-03-22 12:55:16,587 org.owasp.dependencycheck.utils.WriteLock:240
DEBUG - Lock released (main) 761457e8bf1a1bd525f274e11f9bb34f @ 2023-03-22 12:55:16.587
2023-03-22 12:55:16,605 org.owasp.dependencycheck.analyzer.AbstractSuppressionAnalyzer:338
DEBUG - Loading suppression rules from '/data/jenkins/workspace/redacted/backend/dependency-check-suppressions.xml'
2023-03-22 12:55:16,617 org.owasp.dependencycheck.analyzer.AbstractSuppressionAnalyzer:160
DEBUG - 6 suppression rules were loaded.
2023-03-22 12:55:16,617 org.owasp.dependencycheck.Engine:758
DEBUG - Starting CPE Analyzer
2023-03-22 12:55:16,617 org.owasp.dependencycheck.Engine:806
DEBUG - Parallel processing with up to 16 threads: CPE Analyzer.
2023-03-22 12:55:16,618 org.owasp.dependencycheck.AnalysisTask:86
DEBUG - Begin Analysis of '/data/jenkins/workspace/redacted.csproj' (CPE Analyzer)
2023-03-22 12:55:16,625 org.owasp.dependencycheck.data.cpe.AbstractMemoryIndex:273
DEBUG - product:(redacted) AND vendor:(redacted)
2023-03-22 12:55:16,659 org.owasp.dependencycheck.data.cpe.AbstractMemoryIndex:273
DEBUG - product:(redacted) AND vendor:(redacted)
2023-03-22 12:55:16,664 org.owasp.dependencycheck.data.cpe.AbstractMemoryIndex:273
DEBUG - product:(redacted) AND vendor:(redacted)
2023-03-22 12:55:16,668 org.owasp.dependencycheck.Engine:673
INFO  - Finished CPE Analyzer (2 seconds)
2023-03-22 12:55:16,669 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing False Positive Analyzer
2023-03-22 12:55:16,669 org.owasp.dependencycheck.Engine:758
DEBUG - Starting False Positive Analyzer
2023-03-22 12:55:16,669 org.owasp.dependencycheck.Engine:806
DEBUG - Parallel processing with up to 16 threads: False Positive Analyzer.
2023-03-22 12:55:16,669 org.owasp.dependencycheck.AnalysisTask:86
DEBUG - Begin Analysis of '/data/jenkins/workspace/redacted.csproj' (False Positive Analyzer)
2023-03-22 12:55:16,674 org.owasp.dependencycheck.Engine:673
INFO  - Finished False Positive Analyzer (0 seconds)
2023-03-22 12:55:16,674 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing NVD CVE Analyzer
2023-03-22 12:55:16,674 org.owasp.dependencycheck.Engine:758
DEBUG - Starting NVD CVE Analyzer
2023-03-22 12:55:16,674 org.owasp.dependencycheck.Engine:806
DEBUG - Parallel processing with up to 16 threads: NVD CVE Analyzer.
2023-03-22 12:55:16,675 org.owasp.dependencycheck.AnalysisTask:86
DEBUG - Begin Analysis of '/data/jenkins/workspace/redacted.csproj' (NVD CVE Analyzer)
2023-03-22 12:55:16,676 org.owasp.dependencycheck.Engine:673
INFO  - Finished NVD CVE Analyzer (0 seconds)
2023-03-22 12:55:16,676 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing Node Audit Analyzer
2023-03-22 12:55:16,677 org.owasp.dependencycheck.Engine:675
DEBUG - Skipping Node Audit Analyzer (not enabled)
2023-03-22 12:55:16,677 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing Yarn Audit Analyzer
2023-03-22 12:55:16,677 org.owasp.dependencycheck.Engine:675
DEBUG - Skipping Yarn Audit Analyzer (not enabled)
2023-03-22 12:55:16,677 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing Pnpm Audit Analyzer
2023-03-22 12:55:16,677 org.owasp.dependencycheck.Engine:675
DEBUG - Skipping Pnpm Audit Analyzer (not enabled)
2023-03-22 12:55:16,677 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing RetireJS Analyzer
2023-03-22 12:55:16,677 org.owasp.dependencycheck.Engine:675
DEBUG - Skipping RetireJS Analyzer (not enabled)
2023-03-22 12:55:16,677 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing Sonatype OSS Index Analyzer
2023-03-22 12:55:16,677 org.owasp.dependencycheck.Engine:758
DEBUG - Starting Sonatype OSS Index Analyzer
2023-03-22 12:55:16,677 org.owasp.dependencycheck.Engine:806
DEBUG - Parallel processing with up to 16 threads: Sonatype OSS Index Analyzer.
2023-03-22 12:55:16,677 org.owasp.dependencycheck.AnalysisTask:86
DEBUG - Begin Analysis of '/data/jenkins/workspace/redacted.csproj' (Sonatype OSS Index Analyzer)
2023-03-22 12:55:16,677 org.owasp.dependencycheck.analyzer.OssIndexAnalyzer:207
DEBUG - Requesting component-reports for 1 dependencies
2023-03-22 12:55:16,679 org.owasp.dependencycheck.analyzer.OssIndexAnalyzer:222
WARN  - Unable to determine Package-URL identifiers for 1 dependencies
2023-03-22 12:55:16,679 org.owasp.dependencycheck.analyzer.OssIndexAnalyzer:237
DEBUG - Enrich dependency: Dependency{ fileName='redacted.csproj', actualFilePath='/data/jenkins/workspace/redacted.csproj', filePath='/data/jenkins/workspace/redacted.csproj', packagePath='/data/jenkins/workspace/redacted.csproj'}
2023-03-22 12:55:16,679 org.owasp.dependencycheck.Engine:673
INFO  - Finished Sonatype OSS Index Analyzer (0 seconds)
2023-03-22 12:55:16,680 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing Vulnerability Suppression Analyzer
2023-03-22 12:55:16,680 org.owasp.dependencycheck.Engine:758
DEBUG - Starting Vulnerability Suppression Analyzer
2023-03-22 12:55:16,680 org.owasp.dependencycheck.Engine:806
DEBUG - Parallel processing with up to 16 threads: Vulnerability Suppression Analyzer.
2023-03-22 12:55:16,680 org.owasp.dependencycheck.AnalysisTask:86
DEBUG - Begin Analysis of '/data/jenkins/workspace/redacted.csproj' (Vulnerability Suppression Analyzer)
2023-03-22 12:55:16,681 org.owasp.dependencycheck.Engine:673
INFO  - Finished Vulnerability Suppression Analyzer (0 seconds)
2023-03-22 12:55:16,681 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing Known Exploited Vulnerability Analyzer
2023-03-22 12:55:16,694 org.owasp.dependencycheck.Engine:758
DEBUG - Starting Known Exploited Vulnerability Analyzer
2023-03-22 12:55:16,694 org.owasp.dependencycheck.Engine:806
DEBUG - Parallel processing with up to 16 threads: Known Exploited Vulnerability Analyzer.
2023-03-22 12:55:16,694 org.owasp.dependencycheck.AnalysisTask:86
DEBUG - Begin Analysis of '/data/jenkins/workspace/redacted.csproj' (Known Exploited Vulnerability Analyzer)
2023-03-22 12:55:16,695 org.owasp.dependencycheck.Engine:673
INFO  - Finished Known Exploited Vulnerability Analyzer (0 seconds)
2023-03-22 12:55:16,695 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing Dependency Bundling Analyzer
2023-03-22 12:55:16,695 org.owasp.dependencycheck.Engine:758
DEBUG - Starting Dependency Bundling Analyzer
2023-03-22 12:55:16,695 org.owasp.dependencycheck.Engine:809
DEBUG - Parallel processing is not supported: Dependency Bundling Analyzer.
2023-03-22 12:55:16,695 org.owasp.dependencycheck.AnalysisTask:86
DEBUG - Begin Analysis of '/data/jenkins/workspace/redacted.csproj' (Dependency Bundling Analyzer)
2023-03-22 12:55:16,696 org.owasp.dependencycheck.Engine:673
INFO  - Finished Dependency Bundling Analyzer (0 seconds)
2023-03-22 12:55:16,696 org.owasp.dependencycheck.Engine:823
DEBUG - Initializing Unused Suppression Rule Analyzer
2023-03-22 12:55:16,696 org.owasp.dependencycheck.Engine:758
DEBUG - Starting Unused Suppression Rule Analyzer
2023-03-22 12:55:16,696 org.owasp.dependencycheck.Engine:809
DEBUG - Parallel processing is not supported: Unused Suppression Rule Analyzer.
2023-03-22 12:55:16,697 org.owasp.dependencycheck.AnalysisTask:86
DEBUG - Begin Analysis of '/data/jenkins/workspace/redacted.csproj' (Unused Suppression Rule Analyzer)
2023-03-22 12:55:16,698 org.owasp.dependencycheck.analyzer.UnusedSuppressionRuleAnalyzer:66
INFO  - Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:nuget/Microsoft\.AspNetCore\.Mvc\.Core@.*$, regex=true, caseSensitive=false},vulnerabilityName={PropertyType{value=Denial of Service (DOS), regex=false, caseSensitive=false},}}
2023-03-22 12:55:16,698 org.owasp.dependencycheck.analyzer.UnusedSuppressionRuleAnalyzer:66
INFO  - Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:nuget/Microsoft\.NETCore\.App@.*$, regex=true, caseSensitive=false},vulnerabilityName={PropertyType{value=CVE-2020-1108, regex=false, caseSensitive=false},}}
2023-03-22 12:55:16,699 org.owasp.dependencycheck.analyzer.UnusedSuppressionRuleAnalyzer:66
INFO  - Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:nuget/Microsoft\.NETCore\.App@.*$, regex=true, caseSensitive=false},vulnerabilityName={PropertyType{value=CVE-2021-1723, regex=false, caseSensitive=false},}}
2023-03-22 12:55:16,699 org.owasp.dependencycheck.analyzer.UnusedSuppressionRuleAnalyzer:66
INFO  - Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:nuget/Microsoft\.NETCore\.App@.*$, regex=true, caseSensitive=false},vulnerabilityName={PropertyType{value=CVE-2021-24112, regex=false, caseSensitive=false},}}
2023-03-22 12:55:16,699 org.owasp.dependencycheck.analyzer.UnusedSuppressionRuleAnalyzer:66
INFO  - Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:nuget/Microsoft\.NETCore\.App@.*$, regex=true, caseSensitive=false},vulnerabilityName={PropertyType{value=CVE-2021-31957, regex=false, caseSensitive=false},}}
2023-03-22 12:55:16,699 org.owasp.dependencycheck.analyzer.UnusedSuppressionRuleAnalyzer:66
INFO  - Suppression Rule had zero matches: SuppressionRule{packageUrl=PropertyType{value=^pkg:nuget/Microsoft\.NETCore\.App@.*$, regex=true, caseSensitive=false},vulnerabilityName={PropertyType{value=CVE-2021-43877, regex=false, caseSensitive=false},}}
2023-03-22 12:55:16,699 org.owasp.dependencycheck.Engine:673
INFO  - Finished Unused Suppression Rule Analyzer (0 seconds)
2023-03-22 12:55:16,700 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'Archive Analyzer'
2023-03-22 12:55:16,701 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'Ruby Bundle Audit Analyzer'
2023-03-22 12:55:16,701 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'File Name Analyzer'
2023-03-22 12:55:16,701 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'Jar Analyzer'
2023-03-22 12:55:16,701 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'Central Analyzer'
2023-03-22 12:55:16,701 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'Nexus Analyzer'
2023-03-22 12:55:16,701 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'Artifactory Analyzer'
2023-03-22 12:55:16,701 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'Nuspec Analyzer'
2023-03-22 12:55:16,701 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'Nugetconf Analyzer'
2023-03-22 12:55:16,701 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'MSBuild Project Analyzer'
2023-03-22 12:55:16,701 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'Assembly Analyzer'
2023-03-22 12:55:16,701 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'OpenSSL Source Analyzer'
2023-03-22 12:55:16,701 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'Node.js Package Analyzer'
2023-03-22 12:55:16,701 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'Dependency Merging Analyzer'
2023-03-22 12:55:16,701 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'Version Filter Analyzer'
2023-03-22 12:55:16,702 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'Hint Analyzer'
2023-03-22 12:55:16,702 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'CPE Analyzer'
2023-03-22 12:55:16,705 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'False Positive Analyzer'
2023-03-22 12:55:16,705 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'NVD CVE Analyzer'
2023-03-22 12:55:16,706 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'Node Audit Analyzer'
2023-03-22 12:55:16,706 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'Yarn Audit Analyzer'
2023-03-22 12:55:16,706 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'Pnpm Audit Analyzer'
2023-03-22 12:55:16,706 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'RetireJS Analyzer'
2023-03-22 12:55:16,706 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'Sonatype OSS Index Analyzer'
2023-03-22 12:55:16,706 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'Vulnerability Suppression Analyzer'
2023-03-22 12:55:16,706 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'Known Exploited Vulnerability Analyzer'
2023-03-22 12:55:16,706 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'Dependency Bundling Analyzer'
2023-03-22 12:55:16,706 org.owasp.dependencycheck.Engine:854
DEBUG - Closing Analyzer 'Unused Suppression Rule Analyzer'
2023-03-22 12:55:16,706 org.owasp.dependencycheck.Engine:683
DEBUG - 
----------------------------------------------------
END ANALYSIS
----------------------------------------------------
2023-03-22 12:55:16,706 org.owasp.dependencycheck.Engine:685
INFO  - Analysis Complete (2 seconds)
2023-03-22 12:55:16,720 org.apache.velocity.runtime.RuntimeInstance:272
DEBUG - Initializing Velocity, Calling init()...
2023-03-22 12:55:16,720 org.apache.velocity.runtime.RuntimeInstance:276
DEBUG - Starting Apache Velocity v2.3
2023-03-22 12:55:16,723 org.apache.velocity.runtime.RuntimeInstance:522
DEBUG - Default Properties resource: org/apache/velocity/runtime/defaults/velocity.properties
2023-03-22 12:55:16,726 org.apache.velocity.runtime.resource.loader.ResourceLoaderFactory:48
DEBUG - ResourceLoader instantiated: org.apache.velocity.runtime.resource.loader.FileResourceLoader
2023-03-22 12:55:16,727 org.apache.velocity.runtime.resource.loader.FileResourceLoader:84
DEBUG - FileResourceLoader: adding path '.'
2023-03-22 12:55:16,727 org.apache.velocity.runtime.resource.ResourceCacheImpl:119
DEBUG - initialized (class org.apache.velocity.runtime.resource.ResourceCacheImpl) with class java.util.Collections$SynchronizedMap cache map.
2023-03-22 12:55:16,728 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Stop
2023-03-22 12:55:16,729 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Define
2023-03-22 12:55:16,729 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Break
2023-03-22 12:55:16,730 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Evaluate
2023-03-22 12:55:16,730 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Macro
2023-03-22 12:55:16,731 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Parse
2023-03-22 12:55:16,732 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Include
2023-03-22 12:55:16,732 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Foreach
2023-03-22 12:55:16,748 org.apache.velocity.runtime.ParserPoolImpl:57
DEBUG - Created '20' parsers.
2023-03-22 12:55:16,763 org.apache.velocity.runtime.VelocimacroFactory:152
DEBUG - "velocimacro.library.path" is not set. Trying default library: velocimacros.vtl
2023-03-22 12:55:16,764 org.apache.velocity.runtime.VelocimacroFactory:162
DEBUG - Default library velocimacros.vtl not found. Trying old default library: VM_global_library.vm
2023-03-22 12:55:16,764 org.apache.velocity.runtime.VelocimacroFactory:169
DEBUG - Old default library VM_global_library.vm not found.
2023-03-22 12:55:16,764 org.apache.velocity.runtime.VelocimacroFactory:253
DEBUG - allowInline = true: VMs can be defined inline in templates
2023-03-22 12:55:16,764 org.apache.velocity.runtime.VelocimacroFactory:274
DEBUG - allowInlineToOverride = false: VMs defined inline may NOT replace previous VM definitions
2023-03-22 12:55:16,765 org.apache.velocity.runtime.VelocimacroFactory:297
DEBUG - allowInlineLocal = false: VMs defined inline will be global in scope if allowed.
2023-03-22 12:55:16,765 org.apache.velocity.runtime.VelocimacroFactory:315
DEBUG - autoload off: VM system will not automatically reload global library macros
2023-03-22 12:55:16,772 org.owasp.dependencycheck.reporting.ReportGenerator:413
INFO  - Writing report to: /data/jenkins/workspace/redacted/depcheck/dependency-check-junit.xml
2023-03-22 12:55:16,827 org.apache.velocity.runtime.RuntimeInstance:272
DEBUG - Initializing Velocity, Calling init()...
2023-03-22 12:55:16,827 org.apache.velocity.runtime.RuntimeInstance:276
DEBUG - Starting Apache Velocity v2.3
2023-03-22 12:55:16,828 org.apache.velocity.runtime.RuntimeInstance:522
DEBUG - Default Properties resource: org/apache/velocity/runtime/defaults/velocity.properties
2023-03-22 12:55:16,828 org.apache.velocity.runtime.resource.loader.ResourceLoaderFactory:48
DEBUG - ResourceLoader instantiated: org.apache.velocity.runtime.resource.loader.FileResourceLoader
2023-03-22 12:55:16,828 org.apache.velocity.runtime.resource.loader.FileResourceLoader:84
DEBUG - FileResourceLoader: adding path '.'
2023-03-22 12:55:16,828 org.apache.velocity.runtime.resource.ResourceCacheImpl:119
DEBUG - initialized (class org.apache.velocity.runtime.resource.ResourceCacheImpl) with class java.util.Collections$SynchronizedMap cache map.
2023-03-22 12:55:16,829 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Stop
2023-03-22 12:55:16,829 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Define
2023-03-22 12:55:16,829 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Break
2023-03-22 12:55:16,829 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Evaluate
2023-03-22 12:55:16,829 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Macro
2023-03-22 12:55:16,829 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Parse
2023-03-22 12:55:16,829 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Include
2023-03-22 12:55:16,829 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Foreach
2023-03-22 12:55:16,830 org.apache.velocity.runtime.ParserPoolImpl:57
DEBUG - Created '20' parsers.
2023-03-22 12:55:16,830 org.apache.velocity.runtime.VelocimacroFactory:152
DEBUG - "velocimacro.library.path" is not set. Trying default library: velocimacros.vtl
2023-03-22 12:55:16,830 org.apache.velocity.runtime.VelocimacroFactory:162
DEBUG - Default library velocimacros.vtl not found. Trying old default library: VM_global_library.vm
2023-03-22 12:55:16,830 org.apache.velocity.runtime.VelocimacroFactory:169
DEBUG - Old default library VM_global_library.vm not found.
2023-03-22 12:55:16,830 org.apache.velocity.runtime.VelocimacroFactory:253
DEBUG - allowInline = true: VMs can be defined inline in templates
2023-03-22 12:55:16,831 org.apache.velocity.runtime.VelocimacroFactory:274
DEBUG - allowInlineToOverride = false: VMs defined inline may NOT replace previous VM definitions
2023-03-22 12:55:16,831 org.apache.velocity.runtime.VelocimacroFactory:297
DEBUG - allowInlineLocal = false: VMs defined inline will be global in scope if allowed.
2023-03-22 12:55:16,831 org.apache.velocity.runtime.VelocimacroFactory:315
DEBUG - autoload off: VM system will not automatically reload global library macros
2023-03-22 12:55:16,831 org.owasp.dependencycheck.reporting.ReportGenerator:413
INFO  - Writing report to: /data/jenkins/workspace/redacted/depcheck/dependency-check-report.html
2023-03-22 12:55:16,910 org.apache.velocity.runtime.VelocimacroFactory:385
DEBUG - added VM writeHtmlException: source=org.apache.velocity.Template@440eaa07
2023-03-22 12:55:16,934 org.apache.velocity.runtime.parser.node.ASTReference:608
DEBUG - Null reference [template 'templates/htmlReport.vsl', line 695, column 84]: $enc.html($ex.getMessage()) cannot be resolved.
2023-03-22 12:55:16,940 org.apache.velocity.runtime.RuntimeInstance:272
DEBUG - Initializing Velocity, Calling init()...
2023-03-22 12:55:16,941 org.apache.velocity.runtime.RuntimeInstance:276
DEBUG - Starting Apache Velocity v2.3
2023-03-22 12:55:16,942 org.apache.velocity.runtime.RuntimeInstance:522
DEBUG - Default Properties resource: org/apache/velocity/runtime/defaults/velocity.properties
2023-03-22 12:55:16,942 org.apache.velocity.runtime.resource.loader.ResourceLoaderFactory:48
DEBUG - ResourceLoader instantiated: org.apache.velocity.runtime.resource.loader.FileResourceLoader
2023-03-22 12:55:16,942 org.apache.velocity.runtime.resource.loader.FileResourceLoader:84
DEBUG - FileResourceLoader: adding path '.'
2023-03-22 12:55:16,942 org.apache.velocity.runtime.resource.ResourceCacheImpl:119
DEBUG - initialized (class org.apache.velocity.runtime.resource.ResourceCacheImpl) with class java.util.Collections$SynchronizedMap cache map.
2023-03-22 12:55:16,943 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Stop
2023-03-22 12:55:16,943 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Define
2023-03-22 12:55:16,943 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Break
2023-03-22 12:55:16,943 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Evaluate
2023-03-22 12:55:16,943 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Macro
2023-03-22 12:55:16,943 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Parse
2023-03-22 12:55:16,943 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Include
2023-03-22 12:55:16,943 org.apache.velocity.runtime.RuntimeInstance:1081
DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Foreach
2023-03-22 12:55:16,945 org.apache.velocity.runtime.ParserPoolImpl:57
DEBUG - Created '20' parsers.
2023-03-22 12:55:16,945 org.apache.velocity.runtime.VelocimacroFactory:152
DEBUG - "velocimacro.library.path" is not set. Trying default library: velocimacros.vtl
2023-03-22 12:55:16,945 org.apache.velocity.runtime.VelocimacroFactory:162
DEBUG - Default library velocimacros.vtl not found. Trying old default library: VM_global_library.vm
2023-03-22 12:55:16,945 org.apache.velocity.runtime.VelocimacroFactory:169
DEBUG - Old default library VM_global_library.vm not found.
2023-03-22 12:55:16,945 org.apache.velocity.runtime.VelocimacroFactory:253
DEBUG - allowInline = true: VMs can be defined inline in templates
2023-03-22 12:55:16,945 org.apache.velocity.runtime.VelocimacroFactory:274
DEBUG - allowInlineToOverride = false: VMs defined inline may NOT replace previous VM definitions
2023-03-22 12:55:16,945 org.apache.velocity.runtime.VelocimacroFactory:297
DEBUG - allowInlineLocal = false: VMs defined inline will be global in scope if allowed.
2023-03-22 12:55:16,945 org.apache.velocity.runtime.VelocimacroFactory:315
DEBUG - autoload off: VM system will not automatically reload global library macros
2023-03-22 12:55:16,946 org.owasp.dependencycheck.reporting.ReportGenerator:413
INFO  - Writing report to: /data/jenkins/workspace/redacted/depcheck/dependency-check-report.xml
2023-03-22 12:55:16,961 org.apache.velocity.runtime.VelocimacroFactory:385
DEBUG - added VM writeXmlException: source=org.apache.velocity.Template@4e93dcb9
2023-03-22 12:55:16,977 org.owasp.dependencycheck.data.nvdcve.CveDB:311
DEBUG - Closing database
2023-03-22 12:55:16,977 org.owasp.dependencycheck.data.nvdcve.CveDB:313
DEBUG - Cache cleared
2023-03-22 12:55:16,978 org.owasp.dependencycheck.data.nvdcve.CveDB:316
DEBUG - Connection closed
2023-03-22 12:55:16,979 org.owasp.dependencycheck.data.nvdcve.CveDB:322
DEBUG - Resources released
2023-03-22 12:55:16,979 org.owasp.dependencycheck.data.nvdcve.DriverLoader:57
DEBUG - Begin deregister driver
2023-03-22 12:55:16,979 org.owasp.dependencycheck.data.nvdcve.DriverLoader:59
DEBUG - End deregister driver
2023-03-22 12:55:17,291 org.owasp.dependencycheck.App:213
ERROR - java.lang.NullPointerException
2023-03-22 12:55:17,291 org.owasp.dependencycheck.App:214
DEBUG - unexpected error
org.owasp.dependencycheck.analyzer.exception.AnalysisException: java.lang.NullPointerException
    at org.owasp.dependencycheck.analyzer.MSBuildProjectAnalyzer.analyzeDependency(MSBuildProjectAnalyzer.java:210)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.lang.NullPointerException: null
    at org.owasp.dependencycheck.analyzer.MSBuildProjectAnalyzer.loadDirectoryBuildProps(MSBuildProjectAnalyzer.java:231)
    at org.owasp.dependencycheck.analyzer.MSBuildProjectAnalyzer.analyzeDependency(MSBuildProjectAnalyzer.java:143)
    ... 7 common frames omitted
2023-03-22 12:55:17,291 org.owasp.dependencycheck.utils.Settings:891
DEBUG - Deleting ALL temporary files from `/tmp/dctemp3d9ca052-c72f-47d5-b2a1-8933fa109807`
2023-03-22 12:55:17,319 org.owasp.dependencycheck.App:87
DEBUG - Exit code: 14
Wes-Love commented 1 year ago

I am seeing the same error since 8.2.0. This build was fine before 8.2.0

Dependency-Check Core version 8.2.0

Searching for left over lock files... found no left over lock files, continuing... . . . [WARN] An error occurred while analyzing 'D:\a\1\s\xxxxxxhts\Gxxxxxxights\Gxxxxxxxxhts.csproj' (MSBuild Project Analyzer). . . . [INFO] Analysis Complete (24 seconds) [INFO] Writing report to: D:\a\1\TestResults\dependency-check\dependency-check-report.html [INFO] Writing report to: D:\a\1\TestResults\dependency-check\dependency-check-junit.xml [ERROR] java.lang.NullPointerException

Dependency Check completed with exit code 14. Dependency Check reports: [ 'D:\a\1\TestResults\dependency-check\dependency-check-junit.xml', 'D:\a\1\TestResults\dependency-check\dependency-check-report.html' ] Dependency Check failed with message "Dependency Check exited with an error code (exit code: 14)."

[error]Dependency Check exited with an error code (exit code: 14).

Ending Dependency Check...

Wes-Love commented 1 year ago

Many Thanks, This is now working