DependencyCheck: OWASP: AnalysisException: Failed to request component-reports caused by NullPointerException: null

Starting today (25.05.2022), multiple errors started to fail on each execution. No plugin version changed.

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.1.6:aggregate (run-when-install) on project. One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during analysis:
[ERROR]         AnalysisException: Failed to request component-reports
[ERROR]                 caused by NullPointerException: null
[ERROR] -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.owasp:dependency-check-maven:6.1.6:aggregate (run-when-install) on project: One or more exceptions occurred during dependency-check analysis
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:193)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:566)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: org.apache.maven.plugin.MojoExecutionException: One or more exceptions occurred during dependency-check analysis
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1699)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:929)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:193)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:566)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions occurred during analysis:
        AnalysisException: Failed to request component-reports
                caused by NullPointerException: null

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 4
Comments: 17 (2 by maintainers)

Commits related to this issue

[SECURITY] Disable OSS index use due to breaking changes Also had to disable .net assembly analysis (through lombok bundled windows executables) explicitly to prevent analysis failure once OSS index ... — committed to nhsconnect/prm-repo-nems-event-processor by danmoorenhs 2 years ago
PurgePrivateData - Implements the purgePrivateData API in the stub - Note the change to build.gradle to workaround this https://github.com/jeremylong/DependencyCheck/issues/4539 Resolves #335 Signed... — committed to mbwhite/fabric-chaincode-java by mbwhite 2 years ago
Disable dependency check oss index to workarround rate limit issue https://github.com/jeremylong/DependencyCheck/issues/4539#issuecomment-1137183801 — committed to SORMAS-Foundation/SORMAS-Project by MartinWahnschaffe a year ago

Most upvoted comments

Should add that I am using the maven plugin, version 6.5.3.

I have disabled the OSS Index Analyzer for now as a workaround by adding <ossindexAnalyzerEnabled>false</ossindexAnalyzerEnabled> to the plugin configuration my POM.

karstenspang on May 25, 2022

We are in contact with Sonatype regarding this issue. Right now, there are two solutions:

Create an account and configure ODC to authenticate to the OSS Index
Disable the OSS Index Analyzer.

jeremylong on May 25, 2022

@curtisgibson your workaround sounds like a fix for the API rate limit. API doc :

does not mention mandatory authentication

mentions that a “429 Too many requests” HTTP return code would be sent. I suppose we should get it in logs. This is not the case

Did you have the exact same problem in your logs before your fix ?

@curtisgibson is right, seems like sonatype uses a more aggressive rate limit (128). For the first calls you will get NullPointerException and the retries will cause 429. See #4538, where the solution comes from

cheers flash ⚡

flash-me on May 25, 2022

I have found a fix for this.

Steps:

Create an account on OSS Index
Edit you settings.xml file, vi ~/.m2/settings.xml
Add a new <server> item as below:

<server>
   <id>owasp-oss-index</id>
   <username>foo</username>
   <password>bla</password>
</server>

Add a new line within the repo owasp configuration <ossIndexServerId>owasp-oss-index</ossIndexServerId>

curtisgibson on May 25, 2022