Dependencycheck: Maven plugin v1.4.4 'check' mojo crashes on multi-modules project

The root cause seems to be:

[WARNING] An unexpected error occurred during analysis of 'C:\[someWhere]\hierarchical-cross-deps\module-java\target\module-java-1.0.0-SNAPSHOT.jar' (CPE Analyzer): null
[WARNING] An unexpected error occurred during analysis of 'C:\[mavenRepo]\log4j\log4j\1.2.17\log4j-1.2.17.jar' (CPE Analyzer): null

Detailled root cause

In the second module (_module-web_ in test project), the CpeMemoryIndex is null (in CPEAnalyzer).

Title & content renamed, after analyse, root cause doesn't come from croo-dependencies

I can confirm this issue. I see the same error messages when using dependency-check maven plugin 1.4.4 in a multi-module project. (I've also tested and reproduced the issue by using the dependency-check project itself as a sample project).

I don't see any error messages when going back to 1.4.3, so looks like something introduced recently.

@hansjoachim: So please "+1" on #624 😃 (for promote the merge)

I am also experiencing this issue after upgrading from 1.4.3 to 1.4.4. A relevant stack trace is:

WARNING] An unexpected error occurred during analysis of '/Users/anthony/.m2/repository/ch/qos/logback/logback-core/1.1.7/logback-core-1.1.7.jar' (CPE Analyzer): null
[DEBUG] 
java.lang.NullPointerException
    at org.owasp.dependencycheck.analyzer.CPEAnalyzer.searchCPE(CPEAnalyzer.java:295)
    at org.owasp.dependencycheck.analyzer.CPEAnalyzer.determineCPE(CPEAnalyzer.java:213)
    at org.owasp.dependencycheck.analyzer.CPEAnalyzer.analyze(CPEAnalyzer.java:520)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:90)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)

Pretty sure i know where the problem is, i just haven't had time to
fix/test it. Just removing the MavenEngine should solve the problem and
the reason it was created was solved in other ways (so it is no longer
needed).

Jeremy

On Dec 1, 2016 2:58 AM, "Anthony Whitford" notifications@github.com wrote:

I am also experiencing this issue after upgrading from 1.4.3 to 1.4.4. A
relevant stack trace is:

WARNING] An unexpected error occurred during analysis of
'/Users/anthony/.m2/repository/ch/qos/logback/logback-core/1.1.7/logback-core-1.1.7.jar'
(CPE Analyzer): null
[DEBUG]
java.lang.NullPointerException
at org.owasp.dependencycheck.analyzer.CPEAnalyzer.searchCPE(CPEAnalyzer.java:295)
at org.owasp.dependencycheck.analyzer.CPEAnalyzer.determineCPE(CPEAnalyzer.java:213)
at org.owasp.dependencycheck.analyzer.CPEAnalyzer.analyze(CPEAnalyzer.java:520)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:90)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

For the code:

        for (ScoreDoc d : docs.scoreDocs) {

Does one need to null check the scoreDocs?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/jeremylong/DependencyCheck/issues/617#issuecomment-264103475,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AA0qwisS6Q5SiPu7jzbKwddR1dMpYsSUks5rDn47gaJpZM4KzEKP
.

Pretty sure i know where the problem is, i just haven't had time to fix/test it. Just removing the MavenEngine should solve the problem and the reason it was created was solved in other ways (so it is no longer needed).

@jeremylong : Please consider my PR #624, this is a quick fix (always using MavenEngine), with some integration tests to validate it 😄. (And I promote #621 ^^).

I just released the Maven plugin version 1.4.4.1 to resolve this issue.

Thank you !

Hi Jeremy,

I have used the suggested maven plugin 1.4.4.1, I'm getting a similar exception as below. Could you please help on this?

org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.owasp:dependency-check-maven:1.4.4.1:check (default) on project One or more exceptions occurred during dependency-check analysis
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:212)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:116)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:80)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:193)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:106)
at org.apache.maven.cli.MavenCli.execute(MavenCli.java:863)
at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main(MavenCli.java:199)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
Caused by: org.apache.maven.plugin.MojoExecutionException: One or more exceptions occurred during dependency-check analysis
at org.owasp.dependencycheck.maven.CheckMojo.runCheck(CheckMojo.java:120)
at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute(BaseDependencyCheckMojo.java:466)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:207)
... 20 more
Caused by: org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions occurred during analysis:
at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.collectDependencies(BaseDependencyCheckMojo.java:688)
at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.scanArtifacts(BaseDependencyCheckMojo.java:633)
at org.owasp.dependencycheck.maven.CheckMojo.runCheck(CheckMojo.java:92)
... 23 more

Regards,
Prakhash.

@Prakhash Unfortunately, I'll need more information then this single log entry. Try running dependency-check with mvn -X verify. Please post the other dependency-check error messages. Also, I'd suggest posting this in a new/non-closed issue otherwise you may not get a response.

Hi jeremylong,

Will create a new thread

Thanks

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.