Client as used by dependency-check-maven fails with NullPointerException

sonatype / ossindex-public

Sonatype OSS Index - Public

Apache License 2.0

6 stars 9 forks source link

Client as used by dependency-check-maven fails with NullPointerException #35

Closed jwwallin closed 2 years ago

jwwallin commented 2 years ago

There are many reports of suddenly failing builds using org.owasp:dependency-check-maven -plugin. That plugin uses this library to make requests to OSS Index.

Most reports seem to go along the lines of:

[DEBUG] Connecting to: https://ossindex.sonatype.org/api/v3/component-report
[DEBUG] Error requesting component reports
java.lang.NullPointerException
    at org.sonatype.ossindex.service.client.cache.DirectoryCache.entryKey (DirectoryCache.java:149)
    at org.sonatype.ossindex.service.client.cache.DirectoryCache.entryFile (DirectoryCache.java:157)
    at org.sonatype.ossindex.service.client.cache.DirectoryCache.putAll (DirectoryCache.java:134)
    at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.requestComponentReports (OssindexClientImpl.java:171)

https://github.com/jeremylong/DependencyCheck/issues/4538

boolivar commented 2 years ago

Seems like response changed and does not contain coordinates for ComponentReport deserialization:

[
    {
        "description":"",
        "reference":"https://ossindex.sonatype.org/component/pkg:maven/commons-lang/commons-lang@2.1?utm_source=dependency-check&utm_medium=integration&utm_content=7.1.0",
        "vulnerabilities":[
        ],
        "sonatypeOssiScore":0.0
    }
]

jwwallin commented 2 years ago

Seems like response changed and does not contain coordinates for ComponentReport deserialization:

[
    {
        "description":"",
        "reference":"https://ossindex.sonatype.org/component/pkg:maven/commons-lang/commons-lang@2.1?utm_source=dependency-check&utm_medium=integration&utm_content=7.1.0",
        "vulnerabilities":[
        ],
        "sonatypeOssiScore":0.0
    }
]

I tested that specific component and I did get a response with coordinates:

[
    {
        "coordinates": "pkg:maven/commons-lang/commons-lang@2.1",
        "description": "",
        "reference": "https://ossindex.sonatype.org/component/pkg:maven/commons-lang/commons-lang@2.1?utm_source=insomnia&utm_medium=integration&utm_content=2022.3.0",
        "vulnerabilities": [],
        "sonatypeOssiScore": 0.0
    }
]

boolivar commented 2 years ago

Looks like now it depends if you provide credentials or not: https://github.com/jeremylong/DependencyCheck/issues/4535#issuecomment-1137136998

jwwallin commented 2 years ago

I didn't provide any credentials.

Here's a cURL export of my request:

curl --request POST \
  --url https://ossindex.sonatype.org/api/v3/component-report \
  --header 'Accept: application/vnd.ossindex.component-report.v1+json' \
  --header 'Content-Type: application/vnd.ossindex.component-report-request.v1+json' \
  --data '{
    "coordinates":[
            "pkg:maven/commons-lang/commons-lang@2.1"
        ]
}
'

boolivar commented 2 years ago

It's fixed now: https://github.com/jeremylong/DependencyCheck/issues/4535#issuecomment-1137233391

jwwallin commented 2 years ago

This problem no longer manifests.

ken-duck commented 2 years ago

Thanks for letting us know. We have been chasing down a variety of edge cases causing problems, so I am glad one of them resolved your issue. Sorry for the inconvenience.