search

microsoft / security-devops-azdevops

Microsoft Security DevOps extension for Azure DevOps.
MIT License
59 stars 14 forks source link

NullReferenceException: Object reference not set to an instance of an object. #109

Closed Cadacious closed 2 months ago

Cadacious commented 3 months ago

When using the latest version of the Microsoft Security DevOps pipeline task with the 0.203.0 and 0.203.1 versions of the Microsoft.Security.DevOps.Cli nuget package we are seeing the below pipeline failure across all pipelines.

The 0.202.0 version of the nuget package worked fine in our pipelines.

Both new versions of the Microsoft.Security.DevOps.Cli nuget package were published in the last two hours.

This is a complete show-stopper for our pipelines as we run this task in every pipeline run.

starting: Microsoft Security DevOps Scan
==============================================================================
Task         : Microsoft Security DevOps
Description  : Run the Microsoft Security DevOps CLI for static analysis.
Version      : 1.12.1
Author       : Microsoft Corporation
Help         : Runs the [Microsoft Security DevOps CLI](https://aka.ms/msdo-nuget) for security analysis. Effective September 20th 2023, the Secret Scanning option (CredScan) within Microsoft Security DevOps (MSDO) Extension for Azure DevOps is deprecated. MSDO Secret Scanning is replaced by the [Configure GitHub Advanced Security for Azure DevOps features](https://learn.microsoft.com/en-us/azure/devops/repos/security/configure-github-advanced-security-features#set-up-secret-scanning) offering.
==============================================================================
------------------------------------------------------------------------------
Installing Microsoft Security DevOps Cli version: Latest
Microsoft.Security.Devops.Cli.win-x64 version 0.203.1 already installed
------------------------------------------------------------------------------
C:\Windows\system32\cmd.exe /D /S /C "C:\a\_msdo\versions\Microsoft.Security.Devops.Cli.win-x64.0.203.1\tools\guardian.cmd init --force"
Init:
  Creating guardian repo at: C:\a\4\s
  Created a settings file at: C:\a\4\s\.gdn\.gdnsettings
  Added C:\a\4\s\.gdn\.gitignore file to ignore internal files. Please commit this file.
  Guardian repository created at: C:\a\4\s\.gdn
  Please commit everything in the .gdn folder to source control. You can now use "guardian run" to run tools.
C:\Windows\system32\cmd.exe /D /S /C "C:\a\_msdo\versions\Microsoft.Security.Devops.Cli.win-x64.0.203.1\tools\guardian.cmd run -p azuredevops --categories iac secrets --tool credscan templateanalyzer --rich-exit-code --logger-pipeline --export-file C:\a\4\a\.gdn\msdo.sarif --telemetry-environment azdevops"
Run:
  Installing Microsoft.Security.DevOps.Policy.Names
  ------------------------------------------------------------------------------
      GET https://pkgs.dev.azure.com/secdevtools/fbe8430b-c7d4-4187-8c71-a0083ead3d4b/_packaging/a2fd5474-7706-4971-8654-fd0403cf8e6a/nuget/v3/registrations2-semver2/microsoft.security.devops.policy.names/index.json
      OK https://pkgs.dev.azure.com/secdevtools/fbe8430b-c7d4-4187-8c71-a0083ead3d4b/_packaging/a2fd5474-7706-4971-8654-fd0403cf8e6a/nuget/v3/registrations2-semver2/microsoft.security.devops.policy.names/index.json 226ms
    Attempting to gather dependency information for package 'Microsoft.Security.DevOps.Policy.Names.2.0.0' with respect to project 'C:\a\_msdo\packages\nuget', targeting 'Any,Version=v0.0'
    Gathering dependency information took 16 ms
    Attempting to resolve dependencies for package 'Microsoft.Security.DevOps.Policy.Names.2.0.0' with DependencyBehavior 'Lowest'
    Resolving dependency information took 0 ms
    Resolving actions to install package 'Microsoft.Security.DevOps.Policy.Names.2.0.0'
    Resolved actions to install package 'Microsoft.Security.DevOps.Policy.Names.2.0.0'
    Found package 'Microsoft.Security.DevOps.Policy.Names 2.0.0' in 'C:\a\_msdo\packages\nuget'.
    Package 'Microsoft.Security.DevOps.Policy.Names.2.0.0' already exists in folder 'C:\a\_msdo\packages\nuget'
    Successfully installed 'Microsoft.Security.DevOps.Policy.Names 2.0.0' to C:\a\_msdo\packages\nuget
    Executing nuget actions took 19 ms
  ------------------------------------------------------------------------------
  Installing Microsoft.Security.DevOps.Policy.AzureDevOps
  ------------------------------------------------------------------------------
      GET https://pkgs.dev.azure.com/secdevtools/fbe8430b-c7d4-4187-8c71-a0083ead3d4b/_packaging/a2fd5474-7706-4971-8654-fd0403cf8e6a/nuget/v3/registrations2-semver2/microsoft.security.devops.policy.azuredevops/index.json
      OK https://pkgs.dev.azure.com/secdevtools/fbe8430b-c7d4-4187-8c71-a0083ead3d4b/_packaging/a2fd5474-7706-4971-8654-fd0403cf8e6a/nuget/v3/registrations2-semver2/microsoft.security.devops.policy.azuredevops/index.json 159ms
    Attempting to gather dependency information for package 'Microsoft.Security.DevOps.Policy.AzureDevOps.2.0.1' with respect to project 'C:\a\_msdo\packages\nuget', targeting 'Any,Version=v0.0'
    Gathering dependency information took 0.5 ms
    Attempting to resolve dependencies for package 'Microsoft.Security.DevOps.Policy.AzureDevOps.2.0.1' with DependencyBehavior 'Lowest'
    Resolving dependency information took 0 ms
    Resolving actions to install package 'Microsoft.Security.DevOps.Policy.AzureDevOps.2.0.1'
    Resolved actions to install package 'Microsoft.Security.DevOps.Policy.AzureDevOps.2.0.1'
    Found package 'Microsoft.Security.DevOps.Policy.AzureDevOps 2.0.1' in 'C:\a\_msdo\packages\nuget'.
    Package 'Microsoft.Security.DevOps.Policy.AzureDevOps.2.0.1' already exists in folder 'C:\a\_msdo\packages\nuget'
    Successfully installed 'Microsoft.Security.DevOps.Policy.AzureDevOps 2.0.1' to C:\a\_msdo\packages\nuget
    Executing nuget actions took 2 ms
  ------------------------------------------------------------------------------
##[error]NullReferenceException: Object reference not set to an instance of an object.
##[error]MSDO CLI exited with an error exit code: 1
Finishing: Microsoft Security DevOps Scan
Cadacious commented 3 months ago

It looks like the version downloaded can be controlled by the MSDO_VERSION environment variable.

We have added a pipeline variable with that name to our centralized YAML template that invokes this task to pin to the latest working version as a temporary workaround.

Please advise when a fixed version of this NuGet package is released so we can remove this hotfix from our pipelines.

esbenbach commented 2 months ago

WE are having the same issue. The environment variable workaround also works for us using classic pipelines (non-yaml)

benjaminpieplow commented 2 months ago

For anyone looking for a quick fix, add the following to your DfC Scan Task:

#        - task: MicrosoftSecurityDevOps@1
            env:
              MSDO_VERSION: '0.202.0'

The bug seems to be in 0.203.0 and 0.203.1.

Don't forget to check back in a week to see if it's working again on the latest, or you'll get to debug this again once 202 reaches EOL 😉

boAndron commented 2 months ago

This was an issue with a config template in Friday's release. It should be fixed with 0.204.0 (released today). Please let us know if you are still experiencing this issue with 0.204.0 or later versions. Apologies for any inconvenience.