Dependencycheck: Version 5.3.0 java.lang.ClassCastException: org.glassfish.json.JsonStringImpl cannot be cast to javax.json.JsonObject

duplicate of #2438
also missing key information on analysing, please use the full bug template

Can you provide a package.json/package-lock.json that causes this behavior?

Yes @jeremylong

sorry for the delay

package.zip

I'm unable to re-produce this. I downloaded and unzipped the package.zip and then ran:

npm install --package-lock
dependency-check.sh -s . -o .

No errors occur. I'm using a mac and my java version:

java -version
openjdk version "1.8.0_212"
OpenJDK Runtime Environment (AdoptOpenJDK)(build 1.8.0_212-b03)
OpenJDK 64-Bit Server VM (AdoptOpenJDK)(build 25.212-b03, mixed mode)

We might have a solution to this based on an answer on SO.

When will this fix be released?

Hey @jeremylong, do you have an ETA on Version 5.3.1? Can we support you?

downgrading to 5.2.2 seems to resolve the problem.

Sorry for the delay - 5.3.1 was released today.

Did the 5.3.1 release fix it for anyone? Because I still seem to get it

@els-hansenj as I've stated above - I'm unable to reproduce this on my machine. Any chance you can provide a new example (package.json, package-lock.json), the version of Java being used, etc.?

Hi Jeremy,

I don't have a package-lock.json, maybe that is part of the problem? It does write this in the log "No lock file exists - this will result in false negatives; please run npm install --package-lock" but figured it wasn't that important

It's running on Jenkins (2.204.5) with the 5.1.1 version of the plugin and the 5.3.0/5.3.1 version of the dependency checker. It works fine with version 5.2.2 as noted earlier.

The JVM version is 1.8.0_211-b12

Let me know if you need more information

/Jacob

package.zip

I just ran into this issue with our Gradle project.
In one of our packages the build fails because of this error. When I then manually create a package.lock file with the npm install --package-lock-only command and run the dependency-check again it seems to pass the module and goes on without issue.

The thins is. We do not use npm but rather we use yarn. Our project generates a yarn.lock file.
Npm is doing some great work to get the same advantages as yarn but for the moment we still would like to use yarn. We might switch back to npm in the future but I thinks it's crucial for this module to also start supporting yarn.lock files

Hi @jeremylong , @Shuyinsama and @els-hansenj ,
I testen the Version 5.3.1 top and I ran n this issue too.

But with me it‘s the same as with @Shuyinsama : I use yarn and not npm. And the Error is different to the one reported in this ticket. @jeremylong I think this bug is solved.
@Shuyinsama we should open a feature request supporting yarn.lock. There is a node module which can convert a yarn.lock to a package-lock.json - maybe this can be used.

@sfxn the error in this post is exactly my error. Using 5.3.1

So no I don’t think this should be closed.
As for introducing a extra package. That would be weird. I could just add a extra dtep in our pipeline that would run npm install —package-lock-only

But i’d rsther prefer this plugin to support yarn

Hey Patrick, then it was a misunderstanding as your comment followed the one of Jacob who reported a different problem so I thought you had the same (new) Problem as Jacob.

Regarding yarn: there is already an open feature request 1416 for yarn and yes, I'd be happy too. I'm not that deep into npm and yarn, just supporting my team with the ci-servers (Jenkins) and secuity-checks we usually do for java projects; we want to adapt it for our angular project, so I ran into the "java.lang.ClassCastException" while adopting the checks - we had no previous projects unsing this plugin, so I cannot provide a comparison "it worked with 5.2.2 but not with 5.3.X"

I'm already out of office for today, so I'll check the plugin output tomorrow and will provider further information if I still can reproduce the problem or if I now have a new situation.
With 5.3.0 I got the ClassCastException, with 5.3.1 I ran into the "No lock file exists" which sounded to be a new/different problem.

Bastian

@sfxn No problem. We also run a multi-module project where we have 5 modules. One of which is a angular 7 application. This is also the module where this dependency fails.

5.3.2 same problem.

Any chance someone can provide a re-create? I'm not able to re-produce this error.

@jeremylong I made a sample project which loosely resembles our own project in terms of setup.
I have 2 Gradle modules one is a simple spring boot project generated with https://start.spring.io/

Then I added a second module generated with ng new command of @angular/cli.

Sample can be found here:
https://github.com/Shuyinsama/dependency-check-node-issue

We use the https://github.com/node-gradle/gradle-node-plugin plugin to download node and yarn locally and use that for installing. We have a yarn.lock and not a package-lock.json

Basically you can run the following command from the root directory

./gradlew eDC

or

./gradlew executeDependencyCheck

This will result in the following error:

Verifying dependencies for project dependency-check-node-issue
Checking for updates and analyzing dependencies for vulnerabilities

No lock file exists - this will result in false negatives; please run `npm install --package-lock`
An unexpected error occurred during analysis of '/Users/patrick/IdeaProjects/dependency-check-node-issue/sample-project-angular/package.json' (Node.js Package Analyzer): class org.glassfish.json.JsonStringImpl cannot be cast to class javax.json.JsonObject (org.glassfish.json.JsonStringImpl and javax.json.JsonObject are in unnamed module of loader org.gradle.internal.classloader.VisitableURLClassLoader @1073fe27)

java.lang.ClassCastException: class org.glassfish.json.JsonStringImpl cannot be cast to class javax.json.JsonObject (org.glassfish.json.JsonStringImpl and javax.json.JsonObject are in unnamed module of loader org.gradle.internal.classloader.VisitableURLClassLoader @1073fe27)
        at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.processDependencies(NodePackageAnalyzer.java:287)
        at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.analyzeDependency(NodePackageAnalyzer.java:262)
        at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at java.base/java.lang.Thread.run(Thread.java:834)

Thanks @Shuyinsama

I have the exact same issue. Dropping from 5.3.2 to 5.2.2 resolved it.

@Shuyinsama If I understand correctly, the error come from the fact you doesn't have a package-lock.json ?

Any npm-shrinkwrap.json maybe ?
In my opinion, your bug is, that dependency-check try to processDependencies, but need to stop before (if file doesn't exist) . (just skip the node audit in fact) (or maybe dependency-check support without any .lock ? I didn't dig in the projet in the last year)

And FYI, dependency-check doesn't support yarn.lock for the moment, and some functionnalities from yarn can "break" npm (like using an alias).

Maybe someone have a package-lock.json (or npm-shrinkwrap.json) producing this errors ? So I can try ?

@jeremylong I'm here because of your update https://github.com/jeremylong/DependencyCheck/commit/8f1f5663e48d57cb77dd9af722a8ab62f6c808c6
Doing this, sometimes version will contains quotes ...

In my opinion, if the bug doesn't come from here, it's better to revert to jo.getString("version"); .
( I'm actually digging in the NodePackageAnalyzer, because of bugs with yarn, npm, alias, local submodules, generating package-lock.json from yarn.lock .... So, I think I can try to handle this, if linked with the NodePackageAnalyzer )

Edit
@Shuyinsama
I try your project, and dependency-check, and first time it freeze (I'm not a java developper, so I never run gradle) .

Second time :

No lock file exists - this will result in false negatives; please run `npm install --package-lock`
Analyzing `C:\Users\thib3113\repos\dependency-check-node-issue\sample-project-angular\package.json` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-check

So, I run npm install, and restart gradle

λ gradlew eDC

> Task :dependencyCheckAggregate
Verifying dependencies for project dependency-check-node-issue
Checking for updates and analyzing dependencies for vulnerabilities

node module fsevents seems optional and not installed, skip it
node module fsevents seems optional and not installed, skip it
node module fsevents seems optional and not installed, skip it

> Task :dependencyCheckAggregate
Generating report for project dependency-check-node-issue
Found 3 vulnerabilities in project dependency-check-node-issue


One or more dependencies were identified with known vulnerabilities in dependency-check-node-issue:

package.json (pkg:npm/[email protected]) : 1179
package.json (pkg:npm/[email protected]) : CVE-2020-7608
package.json (pkg:npm/[email protected]) : CVE-2020-7608


See the dependency-check report for more details.

Deprecated Gradle features were used in this build, making it incompatible with Gradle 7.0.
Use '--warning-mode all' to show the individual deprecation warnings.
See https://docs.gradle.org/6.3/userguide/command_line_interface.html#sec:command_line_warnings

BUILD SUCCESSFUL in 26s
1 actionable task: 1 executed

same as before, but with removing node_modules/package-lock.json, running yarn

λ gradlew eDC

> Task :dependencyCheckAggregate
Verifying dependencies for project dependency-check-node-issue
Checking for updates and analyzing dependencies for vulnerabilities

No lock file exists - this will result in false negatives; please run `npm install --package-lock`
An unexpected error occurred during analysis of 'C:\Users\thib3113\repos\dependency-check-node-issue\sample-project-angular\package.json' (Node.js Package Analyzer): class org.glassfish.json.JsonStringImpl cannot be cast to class javax.json.JsonObject (org.glassfish.json.JsonStringImpl and javax.json.JsonObject are in unnamed module of loader org.gradle.internal.classloader.VisitableURLClassLoader @1a4e3310)

java.lang.ClassCastException: class org.glassfish.json.JsonStringImpl cannot be cast to class javax.json.JsonObject (org.glassfish.json.JsonStringImpl and javax.json.JsonObject are in unnamed module of loader org.gradle.internal.classloader.VisitableURLClassLoader @1a4e3310)
        at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.processDependencies(NodePackageAnalyzer.java:287)
        at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.analyzeDependency(NodePackageAnalyzer.java:262)
        at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at java.base/java.lang.Thread.run(Thread.java:830)

> Task :dependencyCheckAggregate FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':dependencyCheckAggregate'.
> Analysis failed.

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.

* Get more help at https://help.gradle.org

Deprecated Gradle features were used in this build, making it incompatible with Gradle 7.0.
Use '--warning-mode all' to show the individual deprecation warnings.
See https://docs.gradle.org/6.3/userguide/command_line_interface.html#sec:command_line_warnings

BUILD FAILED in 6s
1 actionable task: 1 executed

Edit 2

It seems, now dependency-check try to analyse dependency, without package-lock.json / npm-shrinkwrap.json ...

But, in the package.json, dependency are like :

{
   "braces": "1.8.5",
}

and in lock files

{
"braces": {
      "version": "1.8.5",
      "resolved": "http://registry.citopia-dev.lan:4873/braces/-/braces-1.8.5.tgz",
      "integrity": "sha1-uneWLhLf+WnWt2cR6RS3N4V79qc=",
      "requires": {
        "expand-range": "1.8.2",
        "preserve": "0.2.0",
        "repeat-element": "1.1.3"
      }
    }
}

The error just say that "1.8.5" can't be converted to a json Object .

I think a found how to fix the error, I've done a pull request, just to illustrate, feel free to build and test :) . ( I doesn't know how to build it totally, it seems I need go and .net, and maybe more, and doesn't know how to "fake" the tool in gradle ).

My PR is maybe not perfect, I just use what I find on google :/, and debugging manually . Feel free to improve it :) .

I use pnpm instead of npm, and I have pnpm-lock.yaml committed instead of package-lock.json.. Running into the same issue.

I use pnpm instead of npm, and I have pnpm-lock.yaml committed instead of package-lock.json.. Running into the same issue.

Only package-lock.json or npm-shrinkwrap.json is read. Else it use the package.json .

I use pnpm instead of npm, and I have pnpm-lock.yaml committed instead of package-lock.json.. Running into the same issue.

Only package-lock.json or npm-shrinkwrap.json is read. Else it use the package.json .

Thanks, I did a workaround by separating the OWASP dependency check from normal application build (which uses pnpm) and running npm install --package-lock --production specifically for the dep check step.

Hey, is there an estimated release date for 6.0.0? Apparently 5.4.0 was renamed to 6.0.0, right?

Sorry about the delay in getting 6.0.0 released. There are still two breaking changes that I need to get implemented. Unfortunately, a different project is taking a bit longer than expected. I hope to be back to this shortly and finish the two breaking changes so we can get this patch released.

I get this error on a Java project. Weird. A part of the error -

Checking for updates and analyzing dependencies for vulnerabilities

No lock file exists - this will result in false negatives; please run `npm install --package-lock`
An unexpected error occurred during analysis of '/var/folders/fg/55xcrj215gs2n9gnpz4077y40000gq/T/dctemp8b096f47-b387-4847-96b1-aacc7ad56355/check5333087062372066136tmp/91/package/package.json' (Node.js Package Analyzer): class org.glassfish.json.JsonStringImpl cannot be cast to class javax.json.JsonObject (org.glassfish.json.JsonStringImpl and javax.json.JsonObject are in unnamed module of loader org.gradle.internal.classloader.VisitableURLClassLoader @36f4dc9e)

java.lang.ClassCastException: class org.glassfish.json.JsonStringImpl cannot be cast to class javax.json.JsonObject (org.glassfish.json.JsonStringImpl and javax.json.JsonObject are in unnamed module of loader org.gradle.internal.classloader.VisitableURLClassLoader @36f4dc9e)
        at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.processDependencies(NodePackageAnalyzer.java:287)
        at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.analyzeDependency(NodePackageAnalyzer.java:262)
        at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
        at java.base/java.lang.Thread.run(Thread.java:832)

> Task :dependencyCheckAnalyze FAILED

FAILURE: Build failed with an exception.

Gotta dig in. Maybe disable the Node analyzer