DependencyCheck: NPE from OssIndexAnalyzer fetching component-report
Describe the bug
[WARNING] Failed to fetch component-report for: pkg:maven/io.netty/netty-handler@4.1.77.Final
java.lang.NullPointerException
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform (OssIndexAnalyzer.java:350)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5 (OssIndexAnalyzer.java:256)
at java.util.stream.ReferencePipeline$3$1.accept (ReferencePipeline.java:195)
at java.util.ArrayList$ArrayListSpliterator.forEachRemaining (ArrayList.java:1655)
at java.util.stream.AbstractPipeline.copyInto (AbstractPipeline.java:484)
at java.util.stream.AbstractPipeline.wrapAndCopyInto (AbstractPipeline.java:474)
at java.util.stream.ForEachOps$ForEachOp.evaluateSequential (ForEachOps.java:150)
at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential (ForEachOps.java:173)
at java.util.stream.AbstractPipeline.evaluate (AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.forEachOrdered (ReferencePipeline.java:502)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich (OssIndexAnalyzer.java:257)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:163)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run (FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:829)
Version of dependency-check used dependency-check-maven 7.1.0
Log file https://gist.github.com/OrangeDog/9f976a83dd5af51f51ce677944384420
To Reproduce
Unsure. netty-handler is included via io.lettuce:lettuce-core:6.1.8.RELEASE
Expected behavior No NPE warnings in log.
About this issue
- Original URL
- State: open
- Created 2 years ago
- Reactions: 12
- Comments: 44 (1 by maintainers)
We at Sonatype really appreciate everyone’s patience as we work through these issues. I can assure you we did extensively test these changes over the last 2 months but there is always room for improvement and the next change we make we’ll be doing a lot more testing with the various clients and looking for ways to more gradually roll out. You all reporting and raising the issues has enabled us to react as fast as possible and you’ve all been a great help. Thanks!
Also if you ever need to reach us directly you can at ossindex@sonatype.org
Hey all Sonatype Product Manager for OSS Index here. Firstly sorry this has caused you all an issue. There are a number of vulnerabilities that have been found by our research teams that haven’t made their way to the public databases yet. One of the huge advantages of the upgrade me made yesterday is that anyone using OSSI now benefits from research done by Sonatype’s commercial research teams, making this the highest quality free data source.
These new vulnerabilities that don’t have CVEs will now have SONATYPE-* IDs which I think might be causing the problem. For anonymous access we’ve bundled any of these new vulnerabilities up and only display the ID of the vulnerability with the highest severity. To expand them out you’ll need to be authenticated.
We made a temporary fix last night to remove the aggregated vulnerability from anonymous access whenever we see a dependency-track user-agent hoping that would fix this problem. I’m guessing some of you folks are authenticated and are still running into trouble? That’s probably going to require a change to dependency-track to support the new ID format.
@jeremylong
I’ll reply here when I have more information.
@jlstephens89 have a look at the other recent issues. Many users are now being rate-limited when they weren’t before, and OSS Index has added various (apparently) new errors causing false positives.
A high-quality free public data source that wanted to improve everyone’s software would not require a login in order to see it.
Thanks for the service in the first place!
As client users we should probably give the maintainer a hand in making the library a bit more resilient to unexpected formatted data so that the tool handles it more gracefully.
I’ll try to find some time to help with that over the coming week.
Thanks all - I’ve just retried with ossindexAnalyzerEnabled set to true again, and it all works fine!
@uwesinha Another edge case has been resolved which may also have been the cause for your NPE.
I don’t see the NullPointerException anymore. Thx!
@uwesinha I made a small project with your packages, but was not able to reproduce the exception. I wonder if the data in the dependency-check cache is corrupted. I would suggest deleting the OSS Index portion of the cache and rerunning.
I found it in the
<dependency-check install dir>/data/oss_cachefolder. Clear that out and see if it resolves the problem.Thank you, i have run the build with gradle and I am not seeing the null pointer exc anymore. I see that there are some vulnerabilities that should be solved our side.
Thanks for looking into this, @jlstephens89! I ran my build again 8 minutes ago, but sadly no change. 😢 (I’m in CEST land, so I’ll check back tomorrow. 😃)
Hmm from that stack trace it looks like the the null coordinates has been cached in some way. Looking at the OSSI client code this is getting cached in your user directory. We’ve just released more bug fixes which should help so try again and if that still fails, try clearing the cache.
Indeed - the build “breaks” in that it can’t be completed. As a temporary workaround, I’m using the following configuration:
This compiles, skipping the remote OSS index check. Not great from a security/vulnerability checking point of view (the whole point of doing this in the first place:-)) but at least it gets past this hiccup for now.
@antonilic Sorry, I missed that:-) Thanks.
Looking at the logs it looks like dependency-check tries to access https://ossindex.sonatype.org/api/v3/component-report Viewing that in a browser gives a 405 error. That may be irrelevant, but the page does have a link on to this one: https://ossindex.sonatype.org/updates-notice which points out several breaking changes.
Hello, I am using the “org.owasp.dependencycheck” gradle plugin, version “7.1.0.1” and I am getting the same issue but for different (transitive) dependencies:
The CVEs are the following:
Everything had been working ok before yesterday afternoon.
I would like to work around this temporarily by just turning off the OSS Index analyser entirely.
I thought I would be able to achieve this (Maven plugin here) by:
But this isn’t working as I expected. The analyser is still running and throwing out the errors as documented by others in this issue. What am I missing? How do I just entirely disable the OSS Index analyser if not this way?
Same here for the following in our project:
In another project I get the same NPEs for the following: