Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NullPointerException on CPEAnalyzer #3249

Closed
sellersj opened this issue Mar 31, 2021 · 3 comments
Closed

NullPointerException on CPEAnalyzer #3249

sellersj opened this issue Mar 31, 2021 · 3 comments
Labels
bug

Comments

@sellersj
Copy link
Contributor

Describe the bug
There are some dependencies that generate a NullPointerException on CPEAnalyzer.
These happen on dependencies with a date pattern for a version, but not always.

Version of dependency-check used
6.1.4 maven plugin.
These work for 6.1.1

Log file
Snipit. I will update the ticket with a failing example

[INFO] Analysis Started
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (0 seconds)
[WARNING] An unexpected error occurred during analysis of '/Users/sellersj/Downloads/maven-repository/com/google/errorprone/javac-shaded/9-dev-r4023-3/javac-shaded-9-dev-r4023-3.jar' (CPE Analyzer): null
[ERROR] 
java.lang.NullPointerException
	at java.lang.String.endsWith(String.java:1449)
	at org.owasp.dependencycheck.analyzer.CPEAnalyzer.lambda$verifyEntry$6(CPEAnalyzer.java:647)
	at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
	at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1577)
	at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
	at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:499)
	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:486)
	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
	at java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:230)
	at java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:196)
	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.util.stream.ReferencePipeline.anyMatch(ReferencePipeline.java:516)
	at org.owasp.dependencycheck.analyzer.CPEAnalyzer.verifyEntry(CPEAnalyzer.java:648)
	at org.owasp.dependencycheck.analyzer.CPEAnalyzer.determineCPE(CPEAnalyzer.java:293)
	at org.owasp.dependencycheck.analyzer.CPEAnalyzer.analyzeDependency(CPEAnalyzer.java:766)
	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
[WARNING] An unexpected error occurred during analysis of '/Users/sellersj/Downloads/maven-repository/org/apache/geronimo/specs/geronimo-activation_1.0.2_spec/1.1/geronimo-activation_1.0.2_spec-1.1.jar' (CPE Analyzer): null
[ERROR] 
[WARNING] An unexpected error occurred during analysis of '/Users/sellersj/Downloads/maven-repository/com/novell/ldap/jldap/2009-10-07/jldap-2009-10-07.jar' (CPE Analyzer): null
[ERROR] 
java.lang.NullPointerException
	at java.lang.String.endsWith(String.java:1449)
	at org.owasp.dependencycheck.analyzer.CPEAnalyzer.lambda$verifyEntry$6(CPEAnalyzer.java:647)
	at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
	at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1577)
	at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
	at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:499)
	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:486)
	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
	at java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:230)
	at java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:196)
	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.util.stream.ReferencePipeline.anyMatch(ReferencePipeline.java:516)
	at org.owasp.dependencycheck.analyzer.CPEAnalyzer.verifyEntry(CPEAnalyzer.java:648)
	at org.owasp.dependencycheck.analyzer.CPEAnalyzer.determineCPE(CPEAnalyzer.java:293)
	at org.owasp.dependencycheck.analyzer.CPEAnalyzer.analyzeDependency(CPEAnalyzer.java:766)
	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
java.lang.NullPointerException
	at java.lang.String.endsWith(String.java:1449)
	at org.owasp.dependencycheck.analyzer.CPEAnalyzer.lambda$verifyEntry$6(CPEAnalyzer.java:647)
	at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
	at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1577)
	at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
	at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:499)
	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:486)
	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
	at java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:230)
	at java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:196)
	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.util.stream.ReferencePipeline.anyMatch(ReferencePipeline.java:516)
	at org.owasp.dependencycheck.analyzer.CPEAnalyzer.verifyEntry(CPEAnalyzer.java:648)
	at org.owasp.dependencycheck.analyzer.CPEAnalyzer.determineCPE(CPEAnalyzer.java:293)
	at org.owasp.dependencycheck.analyzer.CPEAnalyzer.analyzeDependency(CPEAnalyzer.java:766)
	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)

To Reproduce
Steps to reproduce the behavior:
Run the script with the sample project or just use the dependencies in your own.
There are more dependencies that I found issues with, but not all of them are in maven central so I tried to make it easy to test a base case.

Expected behavior
That the exception will not happen and it will continue to work like version 6.1.1

Additional context
These are all old versions of dependencies.
@sellersj sellersj added the bug label Mar 31, 2021
sellersj added a commit to sellersj/check-owasp-slow that referenced this issue Mar 31, 2021
@sellersj
example project for issue
615c622 
jeremylong/DependencyCheck#3249
@sellersj
Copy link
Contributor Author

Here is a sample pom
https://github.com/sellersj/check-owasp-slow/blob/master/issue3249/pom.xml

Commands in the top level run-test.sh script. Sample log in the root of the project.

@sellersj
Copy link
Contributor Author

This might be a duplicate of #3246
I'll take a look.

@sellersj
Copy link
Contributor Author

Issue fixed in 6.1.5, so closing issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sellersj