Malformed URL (Server Error) when trying to open project details

[purnhar]

Current Behavior

After updating to dependency track 4.10.1 it is not possible anymore to open the details of a project. A Server Error (500) is shown is this case.

The URL that is requested when pressing the "Show details" link is always https://server/api/v1/project/undefined, which leads to the following exception on the server:

2023-12-20 09:29:59,052 ERROR [GlobalExceptionHandler] Uncaught internal server error
java.lang.IllegalArgumentException: Invalid UUID string: undefined
at java.base/java.util.UUID.fromString1(Unknown Source)
at java.base/java.util.UUID.fromString(Unknown Source)
at alpine.persistence.AbstractAlpineQueryManager.getObjectByUuid(AbstractAlpineQueryManager.java:592)
at org.dependencytrack.persistence.ProjectQueryManager.getProject(ProjectQueryManager.java:211)
at org.dependencytrack.persistence.QueryManager.getProject(QueryManager.java:367)
at org.dependencytrack.resources.v1.ProjectResource.getProject(ProjectResource.java:117)

Steps to Reproduce

1. Open a project (child project)
2. Click on the link "View details"

Expected Behavior

The details dialog should be opened without any error message.

Dependency-Track Frontend Version

4.10.0

Browser

Microsoft Edge

Browser Version

120.0.2210.77

Operating System

Windows

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[rkg-mm]

In 4.10.0 I cannot reproduce, however, the Frontend did not change for 4.10.1. Did you update from <4.10.0 to 4.10.1? could it be there is some caching issue? (Try strg+f5 or clear browser cache). I am running regularly in frontend cache issues after doing an upgrade, because the frontend is cached in an older version by the browser and not loading the latest.

[purnhar]

I directly updated to 4.10.1 but STRG+F5 seemed to do the trick for me. It seemed to be a caching issue.

[roadSurfer]

I have just encountered on v4.10.1 this after coming back to DT this morning, everything was fine yesterday.
When trying to view details I would see two 500 errors, both of which ended up with java.lang.IllegalArgumentException: Invalid UUID string: undefined as the cause.
A private tab worked fine when viewing the same information, logging out and back in also seemed to fix it.
Unfortunately I wasn't smart enough to capture traffic when it was failing, so I am not sure which values for what were in error; although I find it odd that frontend cache is triggering the server to execute extra queries for simply view details.

[roadSurfer]

It's just happened again, the request is GET https://dependencytrack.domain/api/v1/project/undefined and the dialog does not load. I have no idea where that undefined is coming from because it should be the UUID I can clearly see in the URL. If I edit the request, things work.
In the private tab session which was working a few minutes ago, I now get the error but I at least see the dialog (although I assume this is cached?)
A forced refresh does not clear it, nor does logging out and back in, nor does forcibly purging the browser's cache.

Going to a new project in DT does not show the error in the private tab session, but does in my normal session when looking at the details of the same project.
Navigating about and if the problem isn't instant (as with Chrome and Edge) it will happen after viewing the details of a couple of projects.

The only change I recollect making to the server yesterday was to enable "GitHub Advisories", and I don't see how that could impact things.

In the Console logs the only problems I can see are some requests showing NS_BINDING_ABORTED. For example: GET https://dependencytrack.domain/api/v1/component/project/950e15ff-bd1d-4272-9101-d972714bf9a0?onlyOutdated=false&onlyDirect=false&searchText=&pageSize=10&pageNumber=1

In some cases I can see a subsequent call to the same URL succeed.

Can this issue please be reopened?

Tested clients:

• GNU/Linux
  • Distro: KDE Neon (Ubuntu 22.04 based)
  • Browser: Firefox 123.0
• Windows
  • Distro: Windows 10 Enterprise
  • Browser Firefox 124.0.1, Chrome 123.0.6312.86, Edge 123.0.2420.65

[roadSurfer]

Tesing again:

1. Full browser cache purge
2. Login (Azure SSO) - OK
3. Dashboard - OK
4. Projects - OK
5. Project 1 overview - OK
6. Project 1 details - OK
7. Projects - OK
8. Project 2 overview - OK
9. Project 2 details - OK
10. Projects - OK
11. Expand parent project - OK
12. Project 3 (child project) overview - OK
13. Project 3 details - 500, but the dialog does display
14. Projects - OK
15. Project 1 overview - OK
16. Project 1 details - 500, but the dialog does display

I am not sure if it is something about expanding the parent project, so I tried a different route to get to Project 3:

1. Full browser cache purge
2. Login (Azure SSO) - OK
3. Dashboard - OK
4. Projects - OK
5. Search for "Project 3" - OK
6. Project 3 overview - OK
7. Project 3 details - 500, no dialog
8. Projects - OK
9. Search for "Project 1" - OK
10. Project 1 overview - OK
11. Project 1 details - 500, but the dialog does display

Final run:

1. Full browser cache purge
2. Paste in link to Project 3 - OK, redirected to login as expected
3. Login (Azure SSO) - OK, redirected to Project 3 overview as expected
4. Project 3 details - 500, no dialog

So it looks like there can be something about a particular project that breaks the frontend.

Checking the repsonse payload for GET https://dependencytrack.domain/api/v1/project/950e15ff-bd1d-4272-9101-d972714bf9a0 I can clearly see the UUID is present.

[roadSurfer]

Have just noticed that in Project 3 it's parent is missing.
It show in the hiearchical project list correctly, but "View Details" does not have the Parent listed.
If I set that again in "View Details", the problem no longer occurs.
Even stranger, after Project 3 was correct all the failing projects were corrected.
I re-ran the above tests and the problem no longer occurs.

I have no idea how it got out of sync with itself, but that seems to be the root cause.

[nscuro]

It's just happened again, the request is GET https://dependencytrack.domain/api/v1/project/undefined and the dialog does not load. I have no idea where that undefined is coming from because it should be the UUID I can clearly see in the URL. If I edit the request, things work.

This suspiciously sounds like a timing issue in the frontend. As in, one Vue component relies on data (i.e. the project UUID) being loaded by its parent component, but the child component is "mounted" before said data is present. Sometimes it works out, sometimes it doesn't, depending on how fast the API server responds, network latency, and how quickly the frontend is loaded.

In the Console logs the only problems I can see are some requests showing NS_BINDING_ABORTED. For example: GET https://dependencytrack.domain/api/v1/component/project/950e15ff-bd1d-4272-9101-d972714bf9a0?onlyOutdated=false&onlyDirect=false&searchText=&pageSize=10&pageNumber=1

This will be fixed in v4.11:

• Fix redundant requests to /api/v1/component when loading project page #726
• Fix table column visibility preferences triggering redundant requests #727

I'm reopening this as there's clearly something off here.

[nscuro]

Also, an IllegalArgumentException should not result in a HTTP 500 being returned. I'll add appropriate error handling in the API server so it returns a HTTP 400 instead, including the error message.

[rkg-mm]

@nscuro this reminds me of DependencyTrack/dependency-track#4048 is it the same?

[nscuro]

Yeah pretty sure this is a duplicate of DependencyTrack/dependency-track#4048, which has just been fixed and will ship with DT v4.11.6 (which I am in the process of releasing in this very moment).