Dependencycheck: NullPointerException when writing report

Created on 26 Jul 2018 · 11Comments · Source: jeremylong/DependencyCheck

Please delete any un-needed section from the following issue template:

Reporting Bugs/Errors

We get a NullPointerException when running org.owasp:dependency-check-maven:3.3.0:aggregate
Log
https://gist.github.com/Jidehem/e9b89cb7bd61d2a1973a2f3ec38cb6dc
Log summary
Failed to execute goal org.owasp:dependency-check-maven:3.3.0:aggregate (default-cli) on project shared-parent
[...]
Caused by: java.lang.NullPointerException at org.owasp.dependencycheck.Engine.writeReports(Engine.java:1115) at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck(BaseDependencyCheckMojo.java:1135) at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute(BaseDependencyCheckMojo.java:697) at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134)

We have the same issue using version 3.2.1.
Main candidates:

breaking change in newer version
switch to using an oracle database instead of downloading files
Enable artifactory analyser
I'll test with earlier versions and check why it worked before. And test only one of the change above if I am allowed to...

Configuration

Maven plugin configuration can be seen here: https://gist.github.com/Jidehem/e9b89cb7bd61d2a1973a2f3ec38cb6dc#file-maven-properties

StackTrace Analysis

According to code https://github.com/jeremylong/DependencyCheck/blob/master/core/src/main/java/org/owasp/dependencycheck/Engine.java, the "database" field is null.

_Any idea why this field may be null ?_

bug

Source

Jidehem

All 11 comments

Maybe related to #959 ?

Jidehem on 26 Jul 2018

Any chance you could provide the full debug log? My guess is there is an issue connecting to the Oracle database and I've made the error reporting vague enough it is hard to figure out what is going on...

jeremylong on 3 Aug 2018

Your guess is correct: I found an issue in the database configuration and now it's working fine.
The error reporting should indeed be less cryptic. I'll try to provide the debug output when back from holidays if you still need it.

Jidehem on 6 Aug 2018

If you can provide the log - it may help me fix the error reporting.

jeremylong on 7 Aug 2018

Here is one of the debug output that gives the error.
I'm not sure it's the exact same cause, because I don't remember exactly what I fixed. But I remember that it was a missing or misconfigured property used to connect to the DB (I simply removed the connection string to generate the current log).
This should help locate the problem / improve error reporting.

Jidehem on 21 Aug 2018

We have now encountered the same issue on 4.0.2 gradle plugin. We are using local embedded database for the data.

Caused by: java.lang.NullPointerException
        at org.owasp.dependencycheck.Engine.writeReports(Engine.java:1115)
        at org.owasp.dependencycheck.Engine$writeReports$1.call(Unknown Source)
        at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.analyze(AbstractAnalyze.groovy:112)
        at org.gradle.internal.reflect.JavaMethod.invoke(JavaMethod.java:73)
        at org.gradle.api.internal.project.taskfactory.StandardTaskAction.doExecute(StandardTaskAction.java:48)
        at org.gradle.api.internal.project.taskfactory.StandardTaskAction.execute(StandardTaskAction.java:41)
        at org.gradle.api.internal.project.taskfactory.StandardTaskAction.execute(StandardTaskAction.java:28)
        at org.gradle.api.internal.AbstractTask$TaskActionWrapper.execute(AbstractTask.java:704)
        at org.gradle.api.internal.AbstractTask$TaskActionWrapper.execute(AbstractTask.java:671)
        at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter$2.run(ExecuteActionsTaskExecuter.java:284)
        at org.gradle.internal.operations.DefaultBuildOperationExecutor$RunnableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:301)
        at org.gradle.internal.operations.DefaultBuildOperationExecutor$RunnableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:293)
        at org.gradle.internal.operations.DefaultBuildOperationExecutor.execute(DefaultBuildOperationExecutor.java:175)
        at org.gradle.internal.operations.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:91)

malejpavouk on 13 Feb 2019

😕1 👍1

We generally resolve it by invalidating local data in Gradle cache

malejpavouk on 13 Feb 2019

@malejpavouk - any chance when you've run into this issue you've had the database open via a front-end client (IDE connection to the DB, the h2 command line tool, etc.)? I just ran into a similar error when I had the database open in my IDE as I was querying the data, etc. Then I tried to run ODC and it failed at the write-reports section (and yes - it should fail sooner and the error message should be more helpful).

jeremylong on 13 Feb 2019

@jeremylong Nope, this happened this time to one of my colleague and he was not familiar with inner workings of the plugin.
It also happened once to me and there I am sure that I was not looking to the DB file.

My personal guess (from my experience) is that the file was somehow corrupted when index update took long for whatever reason and I killed the process in the middle.

malejpavouk on 13 Feb 2019

I found the spot where the exception message was being hidden. This will be resolved in the 5.0.0 release.

jeremylong on 15 Feb 2019

👍1

I am also getting the below error:

I am running mvn clean install and it's throwing me the above error.

Please find my mvn and java version below:

Apache Maven 3.6.0 (97c98ec64a1fdfee7767ce5ffb20918da4f719f3; 2018-10-25T00:11:47+05:30)
Maven home: C:\Softwares\apache-maven-3.6.0\bin..
Java version: 11.0.2, vendor: Oracle Corporation, runtime: C:\Program Files\Java\jdk-11.0.2
Default locale: en_US, platform encoding: Cp1252
OS name: "windows 7", version: "6.1", arch: "amd64", family: "windows"