DependencyCheck: ExecutionException/NullPointer on Update

It looks like some bad updates came in. Tested with Corretto8 and Corretto11 from a fresh cli download on 6.1.5. 6.1.4 tested as well.

To reproduce, download the latest version and try running updates:

sh dependency-check/bin/dependency-check.sh --updateonly
[INFO] Checking for updates
[INFO] NVD CVE requires several updates; this could take a couple of minutes.
[INFO] Download Started for NVD CVE - 2002
[INFO] Download Started for NVD CVE - 2003
[INFO] Download Complete for NVD CVE - 2003  (1503 ms)
[INFO] Download Started for NVD CVE - 2004
[INFO] Processing Started for NVD CVE - 2003
[INFO] Download Complete for NVD CVE - 2002  (2448 ms)
[INFO] Download Started for NVD CVE - 2005
[INFO] Processing Started for NVD CVE - 2002
[INFO] Download Complete for NVD CVE - 2004  (2580 ms)
[INFO] Download Started for NVD CVE - 2006
[INFO] Processing Started for NVD CVE - 2004
[INFO] Download Complete for NVD CVE - 2005  (2991 ms)
[INFO] Download Started for NVD CVE - 2007
[INFO] Processing Started for NVD CVE - 2005
[INFO] Download Complete for NVD CVE - 2006  (2304 ms)
[INFO] Download Started for NVD CVE - 2008
[INFO] Processing Started for NVD CVE - 2006
[INFO] Download Complete for NVD CVE - 2007  (2433 ms)
[INFO] Download Started for NVD CVE - 2009
[INFO] Processing Started for NVD CVE - 2007
[INFO] Download Complete for NVD CVE - 2008  (2828 ms)
[INFO] Download Started for NVD CVE - 2010
[INFO] Processing Started for NVD CVE - 2008
[INFO] Download Complete for NVD CVE - 2009  (2066 ms)
[INFO] Processing Started for NVD CVE - 2009
[INFO] Download Started for NVD CVE - 2011
[INFO] Download Complete for NVD CVE - 2010  (2071 ms)
[INFO] Download Started for NVD CVE - 2012
[INFO] Processing Started for NVD CVE - 2010
[INFO] Download Complete for NVD CVE - 2011  (2067 ms)
[INFO] Processing Started for NVD CVE - 2011
[INFO] Download Started for NVD CVE - 2013
[INFO] Download Complete for NVD CVE - 2012  (2059 ms)
[INFO] Download Started for NVD CVE - 2014
[INFO] Processing Started for NVD CVE - 2012
[INFO] Download Complete for NVD CVE - 2013  (2448 ms)
[INFO] Processing Started for NVD CVE - 2013
[INFO] Download Started for NVD CVE - 2015
[INFO] Download Complete for NVD CVE - 2014  (2229 ms)
[INFO] Download Started for NVD CVE - 2016
[INFO] Processing Started for NVD CVE - 2014
[INFO] Download Complete for NVD CVE - 2015  (2821 ms)
[INFO] Processing Started for NVD CVE - 2015
[INFO] Download Started for NVD CVE - 2017
[INFO] Download Complete for NVD CVE - 2017  (2246 ms)
[INFO] Processing Started for NVD CVE - 2017
[INFO] Download Started for NVD CVE - 2018
[INFO] Download Complete for NVD CVE - 2018  (2619 ms)
[INFO] Download Started for NVD CVE - 2019
[INFO] Processing Started for NVD CVE - 2018
[INFO] Download Complete for NVD CVE - 2016  (8863 ms)
[INFO] Download Started for NVD CVE - 2020
[INFO] Processing Started for NVD CVE - 2016
[INFO] Download Complete for NVD CVE - 2019  (3767 ms)
[INFO] Download Started for NVD CVE - 2021
[INFO] Processing Started for NVD CVE - 2019
[INFO] Download Complete for NVD CVE - 2021  (1870 ms)
[INFO] Processing Started for NVD CVE - 2021
[INFO] Download Complete for NVD CVE - 2020  (4085 ms)
[INFO] Processing Started for NVD CVE - 2020
[ERROR] java.util.concurrent.ExecutionException: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because the return value of "org.owasp.dependencycheck.data.nvd.json.DefCpeMatch.getCpe23Uri()" is null
org.owasp.dependencycheck.data.update.exception.UpdateException: java.util.concurrent.ExecutionException: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because the return value of "org.owasp.dependencycheck.data.nvd.json.DefCpeMatch.getCpe23Uri()" is null
	at org.owasp.dependencycheck.data.update.NvdCveUpdater.performUpdate(NvdCveUpdater.java:298)
	at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:125)
	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:860)
	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:833)
	at org.owasp.dependencycheck.App.runUpdateOnly(App.java:387)
	at org.owasp.dependencycheck.App.run(App.java:164)
	at org.owasp.dependencycheck.App.main(App.java:81)
Caused by: java.util.concurrent.ExecutionException: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because the return value of "org.owasp.dependencycheck.data.nvd.json.DefCpeMatch.getCpe23Uri()" is null
	at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
	at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
	at org.owasp.dependencycheck.data.update.NvdCveUpdater.performUpdate(NvdCveUpdater.java:288)
	... 6 common frames omitted
Caused by: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because the return value of "org.owasp.dependencycheck.data.nvd.json.DefCpeMatch.getCpe23Uri()" is null
	at org.owasp.dependencycheck.data.nvd.ecosystem.CveEcosystemMapper.lambda$hasMultipleVendorProductConfigurations$0(CveEcosystemMapper.java:95)
	at java.base/java.util.stream.MatchOps$1MatchSink.accept(MatchOps.java:90)
	at java.base/java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1602)
	at java.base/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:129)
	at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:502)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:488)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
	at java.base/java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:230)
	at java.base/java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:196)
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.base/java.util.stream.ReferencePipeline.allMatch(ReferencePipeline.java:637)
	at org.owasp.dependencycheck.data.nvd.ecosystem.CveEcosystemMapper.hasMultipleVendorProductConfigurations(CveEcosystemMapper.java:95)
	at org.owasp.dependencycheck.data.nvd.ecosystem.CveEcosystemMapper.getEcosystem(CveEcosystemMapper.java:67)
	at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.parse(NvdCveParser.java:97)
	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.importJSON(ProcessTask.java:139)
	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles(ProcessTask.java:152)
	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:113)
	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:40)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
	at java.base/java.lang.Thread.run(Thread.java:831)
[WARN] A new version of dependency-check is available. Consider updating to version 6.1.5.
[ERROR] java.util.concurrent.ExecutionException: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because the return value of "org.owasp.dependencycheck.data.nvd.json.DefCpeMatch.getCpe23Uri()" is null
org.owasp.dependencycheck.data.update.exception.UpdateException: java.util.concurrent.ExecutionException: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because the return value of "org.owasp.dependencycheck.data.nvd.json.DefCpeMatch.getCpe23Uri()" is null
	at org.owasp.dependencycheck.data.update.NvdCveUpdater.performUpdate(NvdCveUpdater.java:298)
	at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:125)
	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:860)
	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:833)
	at org.owasp.dependencycheck.App.runUpdateOnly(App.java:387)
	at org.owasp.dependencycheck.App.run(App.java:164)
	at org.owasp.dependencycheck.App.main(App.java:81)
Caused by: java.util.concurrent.ExecutionException: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because the return value of "org.owasp.dependencycheck.data.nvd.json.DefCpeMatch.getCpe23Uri()" is null
	at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
	at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
	at org.owasp.dependencycheck.data.update.NvdCveUpdater.performUpdate(NvdCveUpdater.java:288)
	... 6 common frames omitted
Caused by: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because the return value of "org.owasp.dependencycheck.data.nvd.json.DefCpeMatch.getCpe23Uri()" is null
	at org.owasp.dependencycheck.data.nvd.ecosystem.CveEcosystemMapper.lambda$hasMultipleVendorProductConfigurations$0(CveEcosystemMapper.java:95)
	at java.base/java.util.stream.MatchOps$1MatchSink.accept(MatchOps.java:90)
	at java.base/java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1602)
	at java.base/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:129)
	at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:502)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:488)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
	at java.base/java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:230)
	at java.base/java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:196)
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.base/java.util.stream.ReferencePipeline.allMatch(ReferencePipeline.java:637)
	at org.owasp.dependencycheck.data.nvd.ecosystem.CveEcosystemMapper.hasMultipleVendorProductConfigurations(CveEcosystemMapper.java:95)
	at org.owasp.dependencycheck.data.nvd.ecosystem.CveEcosystemMapper.getEcosystem(CveEcosystemMapper.java:67)
	at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.parse(NvdCveParser.java:97)
	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.importJSON(ProcessTask.java:139)
	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles(ProcessTask.java:152)
	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:113)
	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:40)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
	at java.base/java.lang.Thread.run(Thread.java:831)

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 54
  • Comments: 36 (2 by maintainers)

Commits related to this issue

Most upvoted comments

The NVD data feed seems to be fixed. It works again for me.

+23
FabianSawatzki1234 on Apr 23, 2021

Looks like an issue with NVD’s repository. As a workaround, point to this mirror for data updates, like this:

<configuration>
    <cveUrlModified>https://freedumbytes.gitlab.io/setup/nist-nvd-mirror/nvdcve-1.1-modified.json.gz</cveUrlModified>
    <cveUrlBase>https://freedumbytes.gitlab.io/setup/nist-nvd-mirror/nvdcve-1.1-%d.json.gz</cveUrlBase>
</configuration>

I kind of support the ingenuity to workaround the error in trusted NVD sources. However, be sure you really trust and know the source who offers you a random “fredumbytes” mirror as a workaround. You never know what you are going to get.

+22
vilvo on Apr 22, 2021

@jeremylong This is entirely an issue with the NVD data feeds having several invalid CPEs.

No it isn’t. It is an issue with DependencyCheck crashing when it receives invalid CPEs. Invalid CPEs in the feed should be a loud warning. It might even be reasonable to fail the dependency check if the project is using packages that have been misdeclared. It certainly isn’t reasonable that everyone’s CI is toast just because of one malformed feed.

+17
ewanmellor on Apr 22, 2021

Email response from nvd@nist.gov

Good morning,

Thank you for bringing this to our attention. We are investigating the issue and currently working towards a resolution. We apologize for the inconvenience. V/r, National Vulnerability Database Team

+11
magJ on Apr 22, 2021

@javintx until someone is used CI which is run on fresh machine for each build for example 😃

+7
catap on Apr 22, 2021

Hi! Same problem here…also tested with 6.1.1 version

+7
ldipaolaIT on Apr 21, 2021

I’m still getting this error as of today. It is still happening.

> Task :dependencyCheckAnalyze
Verifying dependencies for project ms_refdata_updates
Checking for updates and analyzing dependencies for vulnerabilities
java.util.concurrent.ExecutionException: java.lang.NullPointerException
org.owasp.dependencycheck.data.update.exception.UpdateException: java.util.concurrent.ExecutionException: java.lang.NullPointerException
	at org.owasp.dependencycheck.data.update.NvdCveUpdater.performUpdate(NvdCveUpdater.java:298)
	at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:125)
	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:933)
	at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:740)
	at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:670)
	at org.owasp.dependencycheck.Engine$analyzeDependencies$0.call(Unknown Source)
	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:47)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:115)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:119)
	at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.analyze(AbstractAnalyze.groovy:88)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.gradle.internal.reflect.JavaMethod.invoke(JavaMethod.java:103)
	at org.gradle.api.internal.project.taskfactory.StandardTaskAction.doExecute(StandardTaskAction.java:49)
	at org.gradle.api.internal.project.taskfactory.StandardTaskAction.execute(StandardTaskAction.java:42)
	at org.gradle.api.internal.project.taskfactory.StandardTaskAction.execute(StandardTaskAction.java:28)
	at org.gradle.api.internal.AbstractTask$TaskActionWrapper.execute(AbstractTask.java:717)
	at org.gradle.api.internal.AbstractTask$TaskActionWrapper.execute(AbstractTask.java:684)
	at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter$5.run(ExecuteActionsTaskExecuter.java:476)
	at org.gradle.internal.operations.DefaultBuildOperationExecutor$RunnableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:402)
	at org.gradle.internal.operations.DefaultBuildOperationExecutor$RunnableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:394)
	at org.gradle.internal.operations.DefaultBuildOperationExecutor$1.execute(DefaultBuildOperationExecutor.java:165)
	at org.gradle.internal.operations.DefaultBuildOperationExecutor.execute(DefaultBuildOperationExecutor.java:250)
	at org.gradle.internal.operations.DefaultBuildOperationExecutor.execute(DefaultBuildOperationExecutor.java:158)
	at org.gradle.internal.operations.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:92)
	at org.gradle.internal.operations.DelegatingBuildOperationExecutor.run(DelegatingBuildOperationExecutor.java:31)
	at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeAction(ExecuteActionsTaskExecuter.java:461)
	at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeActions(ExecuteActionsTaskExecuter.java:444)
	at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.access$200(ExecuteActionsTaskExecuter.java:93)
	at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter$TaskExecution.execute(ExecuteActionsTaskExecuter.java:237)
	at org.gradle.internal.execution.steps.ExecuteStep.lambda$execute$1(ExecuteStep.java:33)
	at java.util.Optional.orElseGet(Optional.java:267)
	at org.gradle.internal.execution.steps.ExecuteStep.execute(ExecuteStep.java:33)
	at org.gradle.internal.execution.steps.ExecuteStep.execute(ExecuteStep.java:26)
	at org.gradle.internal.execution.steps.CleanupOutputsStep.execute(CleanupOutputsStep.java:58)
	at org.gradle.internal.execution.steps.CleanupOutputsStep.execute(CleanupOutputsStep.java:35)
	at org.gradle.internal.execution.steps.ResolveInputChangesStep.execute(ResolveInputChangesStep.java:48)
	at org.gradle.internal.execution.steps.ResolveInputChangesStep.execute(ResolveInputChangesStep.java:33)
	at org.gradle.internal.execution.steps.CancelExecutionStep.execute(CancelExecutionStep.java:39)
	at org.gradle.internal.execution.steps.TimeoutStep.executeWithoutTimeout(TimeoutStep.java:73)
	at org.gradle.internal.execution.steps.TimeoutStep.execute(TimeoutStep.java:54)
	at org.gradle.internal.execution.steps.CatchExceptionStep.execute(CatchExceptionStep.java:35)
	at org.gradle.internal.execution.steps.CreateOutputsStep.execute(CreateOutputsStep.java:51)
	at org.gradle.internal.execution.steps.SnapshotOutputsStep.execute(SnapshotOutputsStep.java:45)
	at org.gradle.internal.execution.steps.SnapshotOutputsStep.execute(SnapshotOutputsStep.java:31)
	at org.gradle.internal.execution.steps.CacheStep.executeWithoutCache(CacheStep.java:208)
	at org.gradle.internal.execution.steps.CacheStep.execute(CacheStep.java:70)
	at org.gradle.internal.execution.steps.CacheStep.execute(CacheStep.java:45)
	at org.gradle.internal.execution.steps.BroadcastChangingOutputsStep.execute(BroadcastChangingOutputsStep.java:49)
	at org.gradle.internal.execution.steps.StoreSnapshotsStep.execute(StoreSnapshotsStep.java:43)
	at org.gradle.internal.execution.steps.StoreSnapshotsStep.execute(StoreSnapshotsStep.java:32)
	at org.gradle.internal.execution.steps.RecordOutputsStep.execute(RecordOutputsStep.java:38)
	at org.gradle.internal.execution.steps.RecordOutputsStep.execute(RecordOutputsStep.java:24)
	at org.gradle.internal.execution.steps.SkipUpToDateStep.executeBecause(SkipUpToDateStep.java:96)
	at org.gradle.internal.execution.steps.SkipUpToDateStep.lambda$execute$0(SkipUpToDateStep.java:89)
	at java.util.Optional.map(Optional.java:215)
	at org.gradle.internal.execution.steps.SkipUpToDateStep.execute(SkipUpToDateStep.java:54)
	at org.gradle.internal.execution.steps.SkipUpToDateStep.execute(SkipUpToDateStep.java:38)
	at org.gradle.internal.execution.steps.ResolveChangesStep.execute(ResolveChangesStep.java:76)
	at org.gradle.internal.execution.steps.ResolveChangesStep.execute(ResolveChangesStep.java:37)
	at org.gradle.internal.execution.steps.legacy.MarkSnapshottingInputsFinishedStep.execute(MarkSnapshottingInputsFinishedStep.java:36)
	at org.gradle.internal.execution.steps.legacy.MarkSnapshottingInputsFinishedStep.execute(MarkSnapshottingInputsFinishedStep.java:26)
	at org.gradle.internal.execution.steps.ResolveCachingStateStep.execute(ResolveCachingStateStep.java:90)
	at org.gradle.internal.execution.steps.ResolveCachingStateStep.execute(ResolveCachingStateStep.java:48)
	at org.gradle.internal.execution.steps.CaptureStateBeforeExecutionStep.execute(CaptureStateBeforeExecutionStep.java:69)
	at org.gradle.internal.execution.steps.CaptureStateBeforeExecutionStep.execute(CaptureStateBeforeExecutionStep.java:47)
	at org.gradle.internal.execution.impl.DefaultWorkExecutor.execute(DefaultWorkExecutor.java:33)
	at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.execute(ExecuteActionsTaskExecuter.java:140)
	at org.gradle.api.internal.tasks.execution.ValidatingTaskExecuter.execute(ValidatingTaskExecuter.java:62)
	at org.gradle.api.internal.tasks.execution.SkipEmptySourceFilesTaskExecuter.execute(SkipEmptySourceFilesTaskExecuter.java:108)
	at org.gradle.api.internal.tasks.execution.ResolveBeforeExecutionOutputsTaskExecuter.execute(ResolveBeforeExecutionOutputsTaskExecuter.java:67)
	at org.gradle.api.internal.tasks.execution.ResolveAfterPreviousExecutionStateTaskExecuter.execute(ResolveAfterPreviousExecutionStateTaskExecuter.java:46)
	at org.gradle.api.internal.tasks.execution.CleanupStaleOutputsExecuter.execute(CleanupStaleOutputsExecuter.java:94)
	at org.gradle.api.internal.tasks.execution.FinalizePropertiesTaskExecuter.execute(FinalizePropertiesTaskExecuter.java:46)
	at org.gradle.api.internal.tasks.execution.ResolveTaskExecutionModeExecuter.execute(ResolveTaskExecutionModeExecuter.java:95)
	at org.gradle.api.internal.tasks.execution.SkipTaskWithNoActionsExecuter.execute(SkipTaskWithNoActionsExecuter.java:57)
	at org.gradle.api.internal.tasks.execution.SkipOnlyIfTaskExecuter.execute(SkipOnlyIfTaskExecuter.java:56)
	at org.gradle.api.internal.tasks.execution.CatchExceptionTaskExecuter.execute(CatchExceptionTaskExecuter.java:36)
	at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.executeTask(EventFiringTaskExecuter.java:77)
	at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.call(EventFiringTaskExecuter.java:55)
	at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.call(EventFiringTaskExecuter.java:52)
	at org.gradle.internal.operations.DefaultBuildOperationExecutor$CallableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:416)
	at org.gradle.internal.operations.DefaultBuildOperationExecutor$CallableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:406)
	at org.gradle.internal.operations.DefaultBuildOperationExecutor$1.execute(DefaultBuildOperationExecutor.java:165)
	at org.gradle.internal.operations.DefaultBuildOperationExecutor.execute(DefaultBuildOperationExecutor.java:250)
	at org.gradle.internal.operations.DefaultBuildOperationExecutor.execute(DefaultBuildOperationExecutor.java:158)
	at org.gradle.internal.operations.DefaultBuildOperationExecutor.call(DefaultBuildOperationExecutor.java:102)
	at org.gradle.internal.operations.DelegatingBuildOperationExecutor.call(DelegatingBuildOperationExecutor.java:36)
	at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter.execute(EventFiringTaskExecuter.java:52)
	at org.gradle.execution.plan.LocalTaskNodeExecutor.execute(LocalTaskNodeExecutor.java:43)
	at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$InvokeNodeExecutorsAction.execute(DefaultTaskExecutionGraph.java:355)
	at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$InvokeNodeExecutorsAction.execute(DefaultTaskExecutionGraph.java:343)
	at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareExecutionAction.execute(DefaultTaskExecutionGraph.java:336)
	at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareExecutionAction.execute(DefaultTaskExecutionGraph.java:322)
	at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker$1.execute(DefaultPlanExecutor.java:134)
	at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker$1.execute(DefaultPlanExecutor.java:129)
	at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.execute(DefaultPlanExecutor.java:202)
	at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.executeNextNode(DefaultPlanExecutor.java:193)
	at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.run(DefaultPlanExecutor.java:129)
	at org.gradle.internal.concurrent.ExecutorPolicy$CatchAndRecordFailures.onExecute(ExecutorPolicy.java:64)
	at org.gradle.internal.concurrent.ManagedExecutorImpl$1.run(ManagedExecutorImpl.java:48)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.gradle.internal.concurrent.ThreadFactoryImpl$ManagedThreadRunnable.run(ThreadFactoryImpl.java:56)
	at java.lang.Thread.run(Thread.java:748)
Caused by: java.util.concurrent.ExecutionException: java.lang.NullPointerException
	at java.util.concurrent.FutureTask.report(FutureTask.java:122)
	at java.util.concurrent.FutureTask.get(FutureTask.java:192)
	at org.owasp.dependencycheck.data.update.NvdCveUpdater.performUpdate(NvdCveUpdater.java:288)
	... 106 more
Caused by: java.lang.NullPointerException
	at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.lambda$testCveCpeStartWithFilter$0(NvdCveParser.java:149)
	at java.util.stream.MatchOps$1MatchSink.accept(MatchOps.java:90)
	at java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1361)
	at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
	at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:499)
	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:486)
	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
	at java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:230)
	at java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:196)
	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.util.stream.ReferencePipeline.anyMatch(ReferencePipeline.java:516)
	at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.testCveCpeStartWithFilter(NvdCveParser.java:149)
	at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.parse(NvdCveParser.java:100)
	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.importJSON(ProcessTask.java:139)
	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles(ProcessTask.java:152)
	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:113)
	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:40)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	... 1 more
A new version of dependency-check is available. Consider updating to version 6.1.6.
Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
Unable to continue dependency-check analysis.```
+6
joshluisaac on May 10, 2021

Looks like an issue with NVD’s repository. As a workaround, point to this mirror for data updates, like this:

<configuration>
    <cveUrlModified>https://freedumbytes.gitlab.io/setup/nist-nvd-mirror/nvdcve-1.1-modified.json.gz</cveUrlModified>
    <cveUrlBase>https://freedumbytes.gitlab.io/setup/nist-nvd-mirror/nvdcve-1.1-%d.json.gz</cveUrlBase>
</configuration>
+6
injcristianrojas on Apr 22, 2021

This is entirely an issue with the NVD data feeds having several invalid CPEs.

+5
jeremylong on Apr 22, 2021

Same here:

[23:21:00][Step 2/3] [INFO] Processing Started for NVD CVE - 2021
[INFO] Download Complete for NVD CVE - 2020  (4172 ms)
[INFO] Processing Started for NVD CVE - 2020
[ERROR] java.util.concurrent.ExecutionException: java.lang.NullPointerException
org.owasp.dependencycheck.data.update.exception.UpdateException: java.util.concurrent.ExecutionException: java.lang.NullPointerException
    at org.owasp.dependencycheck.data.update.NvdCveUpdater.performUpdate (NvdCveUpdater.java:298)
    at org.owasp.dependencycheck.data.update.NvdCveUpdater.update (NvdCveUpdater.java:125)
    at org.owasp.dependencycheck.Engine.doUpdates (Engine.java:860)
    at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase (Engine.java:667)
    at org.owasp.dependencycheck.Engine.analyzeDependencies (Engine.java:593)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1660)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:929)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:566)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:289)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:229)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:415)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:356)
Caused by: java.util.concurrent.ExecutionException: java.lang.NullPointerException
    at java.util.concurrent.FutureTask.report (FutureTask.java:122)
    at java.util.concurrent.FutureTask.get (FutureTask.java:191)
    at org.owasp.dependencycheck.data.update.NvdCveUpdater.performUpdate (NvdCveUpdater.java:288)
    at org.owasp.dependencycheck.data.update.NvdCveUpdater.update (NvdCveUpdater.java:125)
    at org.owasp.dependencycheck.Engine.doUpdates (Engine.java:860)
    at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase (Engine.java:667)
    at org.owasp.dependencycheck.Engine.analyzeDependencies (Engine.java:593)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1660)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:929)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:566)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:289)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:229)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:415)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:356)
Caused by: java.lang.NullPointerException
    at org.owasp.dependencycheck.data.nvd.ecosystem.UrlEcosystemMapper.getEcosystem (UrlEcosystemMapper.java:68)
    at org.owasp.dependencycheck.data.nvd.ecosystem.CveEcosystemMapper.getEcosystem (CveEcosystemMapper.java:74)
    at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.parse (NvdCveParser.java:97)
    at org.owasp.dependencycheck.data.update.nvd.ProcessTask.importJSON (ProcessTask.java:139)
    at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles (ProcessTask.java:152)
    at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call (ProcessTask.java:113)
    at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call (ProcessTask.java:40)
    at java.util.concurrent.FutureTask.run (FutureTask.java:264)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
    at java.lang.Thread.run (Thread.java:834)
[23:21:02][Step 2/3] [WARNING] Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
+5
Snipx on Apr 21, 2021

@joshluisaac Updating the owasp version to 6.1.6 worked for me.

I just try 6.1.6 but still failing

+3
quahkj on May 10, 2021 
@NISTcyber
·
11m
We have resolved the issue where data feed files were not properly replicating to their intended destinations. However, we are currently investigating and working towards a resolution for multiple unintended formatting changes to the JSON feeds that have been reported by others.

meh still waiting for the fix that works 😃

[ERROR] java.util.concurrent.ExecutionException: java.lang.NullPointerException
+3
ghost on Apr 22, 2021

I’m working with: dependencyCheck { autoUpdate = false } This prevent that fails and maintain the previous database meanwhile from the NIST fix the problem. I think that it’s better than use another database.

+3
javintx on Apr 22, 2021

with gradle project this suggested workaround should work: cve { urlModified = 'https://freedumbytes.gitlab.io/setup/nist-nvd-mirror/nvdcve-1.1-modified.json.gz' urlBase = 'https://freedumbytes.gitlab.io/setup/nist-nvd-mirror/nvdcve-1.1-%d.json.gz' }

+3
pankajkrastogi on Apr 22, 2021

same here. In Maven you can use <failOnError>false</failOnError> until it is fixed

+2
goodale on Apr 22, 2021

You can temporary add the parameter --noupdate if you only want to scan.

+2
alaincroisetiere on Apr 21, 2021

@joshluisaac Updating the owasp version to 6.1.6 worked for me.

+1
ThinkToGrow on May 10, 2021

@vilvo I haven’t mean you personal. Sorry if I made this point.

I just very surprised that it haven’t used any signature. Very surprised.

Because right now a random government agency like DMV probably has better security than NIST when it publish an actual list of security issues.

But, it is off-topic here.

+1
catap on Apr 22, 2021
Read more comments on GitHub
← DependencyCheck: Exception occurred initializing RetireJS Analyzer when using gradle plugin
DependencyCheck: Gradle 9.0.2 - Execution Failed -> READ_DATE_TIMESTAMPS_AS_NANOSECONDS →