DependencyCheck: NullPointerException: Cannot invoke "org.sonatype.goodies.packageurl.PackageUrl.toString()" because "coordinates" is null

Analysis failing since this morning with Sonatype OSS Index Analyzer

both dependency-check-maven:7.1.0 and dependency-check-maven:6.5.3 are impacted

May 25 06:25:11 [ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:aggregate (default) on project : One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during analysis:
May 25 06:25:11 [ERROR] 	AnalysisException: Failed to request component-reports
May 25 06:25:11 [ERROR] 		caused by NullPointerException: Cannot invoke "org.sonatype.goodies.packageurl.PackageUrl.toString()" because "coordinates" is null

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 25
Comments: 53 (4 by maintainers)

Commits related to this issue

Workaround for depencency check issue 4535 https://github.com/jeremylong/DependencyCheck/issues/4535 — committed to FraunhoferIOSB/FROST-Client by hylkevds 2 years ago

Most upvoted comments

Hi All, Sonatype OSSI Product Manager here. Firstly, sorry that this caused you all trouble. The best path here is to make authenticated requests as not only will that increase your rate limit but will also provide you with the most complete/accurate data.

We are also investigating whether we can increase the anonymous rate limit specifically for Dependency Check and Dependency Track. I’ll drop an update here later today.

+23

jlstephens89 on May 25, 2022

For mvn users, you can, for the moment, disable the OSS Index analyzer, add the following to your plugin configuration:

<ossindexAnalyzerEnabled>false</ossindexAnalyzerEnabled>

Fynnyan on May 25, 2022

@jeremylong Thanks, well spotted. Looks like this is another bug. We’re investigating now.

jlstephens89 on May 25, 2022

Maybe it’s related to some breaking changes in OSS index -> https://ossindex.sonatype.org/updates-notice

Could be as I receive the following error along the mentioned error:

AnalysisException: OSS Index rate limit exceeded
		caused by TransportException: Unexpected response; status: 429

ramonaEs on May 25, 2022

It works by providing valid Sonatype credentials. Register at https://ossindex.sonatype.org/user/register.

For Maven users:

Specify a server in your Maven settings ~/.m2/settings.xml (default location)


<servers>
    <server>
        <id>SERVER_ID</id>
        <username>USERNAME</username>
        <password>PASSWORD_OR_API_TOKEN</password>
    </server>
</servers>

Configure the dependency-check-maven plugin in your pom.xml


<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <configuration>
        <ossIndexServerId>SERVER_ID</ossIndexServerId>
    </configuration>
</plugin>

serkandemirel on May 25, 2022

When using Maven, you can also skip it via the mvn command to avoid having to adapt your plugin configuration in the pom.xml:

mvn verify -DossindexAnalyzerEnabled=false

yannickdeturck on May 25, 2022

@norrs Thanks, that one has been reported a few times now and we’re looking at it. Think we’re getting to the bottom of this one NPE at a time. Hopefully this is the last 😅

jlstephens89 on May 25, 2022

I have just tested one pipeline on my side and it works now, thanks for quick feedback and fixes @jlstephens89 @jeremylong !! 🙏 I’m still waiting reports from all pipelines but it is progressing thanks for that!

nhenneaux on May 25, 2022

Getting some errors, but the build is successful:

Failed to fetch component-report for: pkg:maven/io.github.classgraph/classgraph@4.8.60
java.lang.NullPointerException
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:339)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5(OssIndexAnalyzer.java:245)
        at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
        at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1384)
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
        at java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
        at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:490)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:246)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:158)
        at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Failed to fetch component-report for: pkg:maven/com.google.guava/guava@30.1-jre
java.lang.NullPointerException
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:339)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5(OssIndexAnalyzer.java:245)
        at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
        at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1384)
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
        at java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
        at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:490)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:246)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:158)
        at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Failed to fetch component-report for: pkg:maven/org.bouncycastle/bcprov-jdk15on@1.68
java.lang.NullPointerException
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:339)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5(OssIndexAnalyzer.java:245)
        at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
        at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1384)
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
        at java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
        at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:490)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:246)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:158)
        at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Failed to fetch component-report for: pkg:maven/xerces/xercesImpl@2.12.1
java.lang.NullPointerException
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:339)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5(OssIndexAnalyzer.java:245)
        at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
        at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1384)
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
        at java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
        at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:490)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:246)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:158)
        at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)

> Task :dependencyCheckAnalyze
Generating report for project test
Found 2 vulnerabilities in project test


One or more dependencies were identified with known vulnerabilities in test:

json-smart-2.3.jar (pkg:maven/net.minidev/json-smart@2.3, cpe:2.3:a:ini-parser_project:ini-parser:2.3:*:*:*:*:*:*:*, cpe:2.3:a:json-smart_project:json-smart-v2:2.3:*:*:*:*:*:*:*) : CVE-2021-31684
xercesImpl-2.12.1.jar (pkg:maven/xerces/xercesImpl@2.12.1) : CVE-2022-23437


See the dependency-check report for more details.



BUILD SUCCESSFUL in 1m 56s

Not getting those warnings if I use credentials on the gradle plugin

mr-andres-carvajal on May 25, 2022

I’m getting these errors:

Failed to fetch component-report for: pkg:maven/org.bouncycastle/bcprov-jdk15on@1.68
java.lang.NullPointerException
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:350)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5(OssIndexAnalyzer.java:256)
        at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
        at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655)
        at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
        at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
        at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
        at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
        at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.base/java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:502)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:257)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:163)
        at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at java.base/java.lang.Thread.run(Thread.java:829)
Failed to fetch component-report for: pkg:maven/xerces/xercesImpl@2.12.1
java.lang.NullPointerException
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:350)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5(OssIndexAnalyzer.java:256)
        at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
        at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655)
        at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
        at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
        at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
        at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
        at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.base/java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:502)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:257)
        at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:163)
        at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at java.base/java.lang.Thread.run(Thread.java:829)

binoternary on May 25, 2022

Thanks for the help, it is now fully resolved from my side!

nhenneaux on May 30, 2022

@jlstephens89, I too am still seeing errors

Failed to fetch component-report for: pkg:maven/org.glassfish.jersey.core/jersey-common@2.5.1 java.lang.NullPointerException at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:350) at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5(OssIndexAnalyzer.java:256) at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195) at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655) at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150) at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173) at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) at java.base/java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:502) at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:257) at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:163) at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131) at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88) at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:829)

heidenthal on May 25, 2022

Okay we’ve fixed the bug that was dropping the coordinates field and released. That should remove the NPE. We’ve hopefully also sorted the rate limit issue. It’d be great if someone could test and let me know.

jlstephens89 on May 25, 2022

@jlstephens89 I mentioned earlier that it found a new security issue, I looked a bit closer into it and it seems to be a false report: #4528 (comment) . Related to these updates that are happening now to use your new databases?

Because 5.7.1 doesn’t match the vulnerable version numbers as mentioned in the CVE-2020-5408 or json record you can view at cve.org.

@jlstephens89: After supressing the found vulnerability, I still get a warning with NPE, But org.owasp:dependency-check-maven:aggregate report runs successfully tho.

Log:

[INFO] Analysis Started
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (0 seconds)
[INFO] Finished Node.js Package Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (0 seconds)
[INFO] Finished NPM CPE Analyzer (0 seconds)
[INFO] Created CPE Index (0 seconds)
[INFO] Finished CPE Analyzer (1 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished RetireJS Analyzer (16 seconds)
[WARNING] Failed to fetch component-report for: pkg:maven/javax.mail/mail@1.5.0-b01
java.lang.NullPointerException
    at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform (OssIndexAnalyzer.java:350)
    at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$5 (OssIndexAnalyzer.java:256)
    at java.util.stream.ReferencePipeline$3$1.accept (ReferencePipeline.java:195)
    at java.util.ArrayList$ArrayListSpliterator.forEachRemaining (ArrayList.java:1655)
    at java.util.stream.AbstractPipeline.copyInto (AbstractPipeline.java:484)
    at java.util.stream.AbstractPipeline.wrapAndCopyInto (AbstractPipeline.java:474)
    at java.util.stream.ForEachOps$ForEachOp.evaluateSequential (ForEachOps.java:150)
    at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential (ForEachOps.java:173)
    at java.util.stream.AbstractPipeline.evaluate (AbstractPipeline.java:234)
    at java.util.stream.ReferencePipeline.forEachOrdered (ReferencePipeline.java:502)
    at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich (OssIndexAnalyzer.java:257)
    at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:163)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run (FutureTask.java:264)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
    at java.lang.Thread.run (Thread.java:834)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (19 seconds)
[INFO] Writing report to: /*snip*/unit/alp/target/dependency-check-report.xml
[INFO] Writing report to: /*snip*/unit/alp/target/dependency-check-report.html
[INFO] Writing report to: /*snip*/unit/alp/target/dependency-check-report.json
[INFO] Writing report to: /*snip*/unit/alp/target/dependency-check-report.csv
[INFO] Writing report to: /*snip*/unit/alp/target/dependency-check-report.sarif
[INFO] Writing report to: /*snip*/unit/alp/target/dependency-check-junit.xml
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO] 
[INFO] alp 1.0-SNAPSHOT ................................... SUCCESS [ 29.271 s]
*snip*
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  29.574 s
[INFO] Finished at: 2022-05-25T17:45:13+02:00

Do you want us to keep reporting the NPEs of artifacts we find in our builds? Or create new separate issue for each of em?

🤔 This might be another error than the given issue title.

norrs on May 25, 2022

@jlstephens89 I mentioned earlier that it found a new security issue, I looked a bit closer into it and it seems to be a false report: #4528 (comment) . Related to these updates that are happening now to use your new databases?

Because 5.7.1 doesn’t match the vulnerable version numbers as mentioned in the CVE-2020-5408 or json record you can view at cve.org.

@norrs Its more likely that our research team have found that the public CVE information is incorrect. Our team of researchers go much deeper than anything else that is publicly available. Email me privately at jstephens@sonatype.com with the component and CVE information and I’ll pass it on to the research team to double check for you and get you some more information.

jlstephens89 on May 25, 2022

Hello, thanks for the comment. I have provided a stack trace in a comment above:

https://github.com/jeremylong/DependencyCheck/issues/4535#issuecomment-1137269719

antonilic on May 25, 2022

@jlstephens89 thanks for your help but it still doesn’t work in my case. I can still see the NPEs and it still raises some dependencies as vulnerable. If I disable the analyser it works ok, so no NPEs nor vulnerabilities.

Do I need to do anything in my gradle file? I am using the version 7.1.0.1 of the dependencycheck plugin.

antonilic on May 25, 2022

Fix released and tested for the latest NPE’s. Test again and let me know if there are any more issues (also super sorry to disrupt everyone’s day!)

jlstephens89 on May 25, 2022

Also getting those exceptions, for the packages:

[WARNING] Failed to fetch component-report for: pkg:maven/commons-codec/commons-codec@1.10
[WARNING] Failed to fetch component-report for: pkg:maven/commons-codec/commons-codec@1.11
[WARNING] Failed to fetch component-report for: pkg:maven/io.netty/netty-codec@4.1.53.Final
[WARNING] Failed to fetch component-report for: pkg:maven/io.netty/netty-handler@4.1.53.Final
[WARNING] Failed to fetch component-report for: pkg:maven/org.bouncycastle/bcprov-jdk15on@1.68
[WARNING] Failed to fetch component-report for: pkg:maven/org.geolatte/geolatte-geom@0.15

hylkevds on May 25, 2022

@jlstephens89 Seems to be working for me on latest version. Tested both in our AWS pipeline running the OWASP scan and locally on my dev machine. Seem to have found a new identified vulnerability as well.

spring-security-crypto-5.7.1.jar: CVE-2020-5408(6.5).

Thanks.

edit: command issued: mvn -DskipTests=true --no-transfer-progress -Powasp clean org.owasp:dependency-check-maven:aggregate

our owasp profile:

 <profile>
        <id>owasp</id>
        <build>
          <plugins>
            <plugin>
              <groupId>org.owasp</groupId>
              <artifactId>dependency-check-maven</artifactId>
              <version>${org.owasp.dependency.version}</version>
              <configuration>
                <suppressionFiles>${project.monoBasePath}/alp-owasp-suppressions.xml</suppressionFiles>
                <failBuildOnCVSS>1</failBuildOnCVSS>
                <enableExperimental>true</enableExperimental>
                <yarnAuditAnalyzerEnabled>true</yarnAuditAnalyzerEnabled>
                <retireJsAnalyzerEnabled>true</retireJsAnalyzerEnabled>
                <!-- .Disable Net content-->
                <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
                <nugetconfAnalyzerEnabled>false</nugetconfAnalyzerEnabled>
                <nuspecAnalyzerEnabled>false</nuspecAnalyzerEnabled>
                <formats>
                  <format>ALL</format>
                </formats>
              </configuration>
              <executions>
                <execution>
                  <goals>
                    <goal>aggregate</goal>
                  </goals>
                </execution>
              </executions>
            </plugin>
          </plugins>
        </build>
        <dependencies>
          <dependency>
            <groupId>org.owasp</groupId>
            <artifactId>dependency-check-maven</artifactId>
            <version>${org.owasp.dependency.version}</version>
            <scope>test</scope>
          </dependency>
        </dependencies>
      </profile>

norrs on May 25, 2022

See https://github.com/jeremylong/DependencyCheck/issues/4539#issuecomment-1137183801

@jlstephens89 see my email about the missing coordinates in the API response causing an NPE…

jeremylong on May 25, 2022

For maven users, it helps with

<plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>7.1.0</version>
                <configuration>
                    <skipSystemScope>true</skipSystemScope>
                    <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
                    <ossindexAnalyzerEnabled>false</ossindexAnalyzerEnabled>
                    <reportSets>
                        <reportSet>
                            <reports>
                                <report>aggregate</report>
                            </reports>
                        </reportSet>
                    </reportSets>
                </configuration>
</plugin>

sysmat on May 25, 2022

For gradle users you can disable OSS index by adding following line to your dependencycheck plugin: analyzers.ossIndexEnabled = false Checked with org.owasp.dependencycheck version “7.1.0.1”

Regginator94 on May 25, 2022