Dependencycheck: NullPointerException on updateVulnerabilityInsertReferences(CveDB.java:1173)
Hello everyone,
I'm using gradle plugin org.owasp:dependency-check-gradle:6.1.5
and since 23:30 CEST I always get this NPE. An hour before with the same Version it was all good.
I didn't cut the long stacktrace, hope you don't mind.
and I hope it helps you.
EDIT: Sometimes it needs a little bit more time for "Checking for updates and analyzing dependencies for vulnerabilities"
but the rest is all the same
[...]
00:13:24 Verifying dependencies for project briefankündigung verwaltung
00:13:24 Checking for updates and analyzing dependencies for vulnerabilities
00:13:36 The execution of the download was interrupted
00:13:36 org.owasp.dependencycheck.data.update.exception.UpdateException: The execution of the download was interrupted
[...]
EDIT2: "./gradlew dependencyCheckPurge" did not help in this matter. Get the some result.
Wish you alle the best
Mark Senne
23:45:03 + ./gradlew dependencyCheckAnalyze
23:45:04 To honour the JVM settings for this build a single-use Daemon process will be forked. See https://docs.gradle.org/6.8.3/userguide/gradle_daemon.html#sec:disabling_the_daemon.
23:45:05 Daemon will be stopped at the end of the build
23:45:11
23:45:11 > Task :dependencyCheckAnalyze
23:45:11 Verifying dependencies for project briefankündigung verwaltung
23:45:11 Checking for updates and analyzing dependencies for vulnerabilities
23:45:13 The execution of the download was interrupted
23:45:13 org.owasp.dependencycheck.data.update.exception.UpdateException: The execution of the download was interrupted
23:45:13 at org.owasp.dependencycheck.data.update.NvdCveUpdater.performUpdate(NvdCveUpdater.java:317)
23:45:13 at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:125)
23:45:13 at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:860)
23:45:13 at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:667)
23:45:13 at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:593)
23:45:13 at org.owasp.dependencycheck.Engine$analyzeDependencies$0.call(Unknown Source)
23:45:13 at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:47)
23:45:13 at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:115)
23:45:13 at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:119)
23:45:13 at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.analyze(AbstractAnalyze.groovy:90)
23:45:13 at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
23:45:13 at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
23:45:13 at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
23:45:13 at java.base/java.lang.reflect.Method.invoke(Method.java:566)
23:45:13 at org.gradle.internal.reflect.JavaMethod.invoke(JavaMethod.java:104)
23:45:13 at org.gradle.api.internal.project.taskfactory.StandardTaskAction.doExecute(StandardTaskAction.java:58)
23:45:13 at org.gradle.api.internal.project.taskfactory.StandardTaskAction.execute(StandardTaskAction.java:51)
23:45:13 at org.gradle.api.internal.project.taskfactory.StandardTaskAction.execute(StandardTaskAction.java:29)
23:45:13 at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter$2.run(ExecuteActionsTaskExecuter.java:494)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:29)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:26)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationRunner$3.execute(DefaultBuildOperationRunner.java:75)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationRunner$3.execute(DefaultBuildOperationRunner.java:68)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:153)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:68)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationRunner.run(DefaultBuildOperationRunner.java:56)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationExecutor.lambda$run$1(DefaultBuildOperationExecutor.java:71)
23:45:13 at org.gradle.internal.operations.UnmanagedBuildOperationWrapper.runWithUnmanagedSupport(UnmanagedBuildOperationWrapper.java:45)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:71)
23:45:13 at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeAction(ExecuteActionsTaskExecuter.java:479)
23:45:13 at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeActions(ExecuteActionsTaskExecuter.java:462)
23:45:13 at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.access$400(ExecuteActionsTaskExecuter.java:105)
23:45:13 at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter$TaskExecution.executeWithPreviousOutputFiles(ExecuteActionsTaskExecuter.java:273)
23:45:13 at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter$TaskExecution.execute(ExecuteActionsTaskExecuter.java:251)
23:45:13 at org.gradle.internal.execution.steps.ExecuteStep.lambda$executeOperation$1(ExecuteStep.java:66)
23:45:13 at java.base/java.util.Optional.orElseGet(Optional.java:369)
23:45:13 at org.gradle.internal.execution.steps.ExecuteStep.executeOperation(ExecuteStep.java:66)
23:45:13 at org.gradle.internal.execution.steps.ExecuteStep.access$000(ExecuteStep.java:34)
23:45:13 at org.gradle.internal.execution.steps.ExecuteStep$1.call(ExecuteStep.java:47)
23:45:13 at org.gradle.internal.execution.steps.ExecuteStep$1.call(ExecuteStep.java:44)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:200)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:195)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationRunner$3.execute(DefaultBuildOperationRunner.java:75)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationRunner$3.execute(DefaultBuildOperationRunner.java:68)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:153)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:68)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationRunner.call(DefaultBuildOperationRunner.java:62)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationExecutor.lambda$call$2(DefaultBuildOperationExecutor.java:76)
23:45:13 at org.gradle.internal.operations.UnmanagedBuildOperationWrapper.callWithUnmanagedSupport(UnmanagedBuildOperationWrapper.java:54)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationExecutor.call(DefaultBuildOperationExecutor.java:76)
23:45:13 at org.gradle.internal.execution.steps.ExecuteStep.execute(ExecuteStep.java:44)
23:45:13 at org.gradle.internal.execution.steps.ExecuteStep.execute(ExecuteStep.java:34)
23:45:13 at org.gradle.internal.execution.steps.RemovePreviousOutputsStep.execute(RemovePreviousOutputsStep.java:72)
23:45:13 at org.gradle.internal.execution.steps.RemovePreviousOutputsStep.execute(RemovePreviousOutputsStep.java:42)
23:45:13 at org.gradle.internal.execution.steps.ResolveInputChangesStep.execute(ResolveInputChangesStep.java:53)
23:45:13 at org.gradle.internal.execution.steps.ResolveInputChangesStep.execute(ResolveInputChangesStep.java:39)
23:45:13 at org.gradle.internal.execution.steps.CancelExecutionStep.execute(CancelExecutionStep.java:44)
23:45:13 at org.gradle.internal.execution.steps.TimeoutStep.executeWithoutTimeout(TimeoutStep.java:77)
23:45:13 at org.gradle.internal.execution.steps.TimeoutStep.execute(TimeoutStep.java:58)
23:45:13 at org.gradle.internal.execution.steps.CreateOutputsStep.execute(CreateOutputsStep.java:54)
23:45:13 at org.gradle.internal.execution.steps.CreateOutputsStep.execute(CreateOutputsStep.java:32)
23:45:13 at org.gradle.internal.execution.steps.CaptureStateAfterExecutionStep.execute(CaptureStateAfterExecutionStep.java:57)
23:45:13 at org.gradle.internal.execution.steps.CaptureStateAfterExecutionStep.execute(CaptureStateAfterExecutionStep.java:38)
23:45:13 at org.gradle.internal.execution.steps.BroadcastChangingOutputsStep.execute(BroadcastChangingOutputsStep.java:63)
23:45:13 at org.gradle.internal.execution.steps.BroadcastChangingOutputsStep.execute(BroadcastChangingOutputsStep.java:30)
23:45:13 at org.gradle.internal.execution.steps.BuildCacheStep.executeWithoutCache(BuildCacheStep.java:176)
23:45:13 at org.gradle.internal.execution.steps.BuildCacheStep.execute(BuildCacheStep.java:76)
23:45:13 at org.gradle.internal.execution.steps.BuildCacheStep.execute(BuildCacheStep.java:47)
23:45:13 at org.gradle.internal.execution.steps.StoreExecutionStateStep.execute(StoreExecutionStateStep.java:43)
23:45:13 at org.gradle.internal.execution.steps.StoreExecutionStateStep.execute(StoreExecutionStateStep.java:32)
23:45:13 at org.gradle.internal.execution.steps.RecordOutputsStep.execute(RecordOutputsStep.java:39)
23:45:13 at org.gradle.internal.execution.steps.RecordOutputsStep.execute(RecordOutputsStep.java:25)
23:45:13 at org.gradle.internal.execution.steps.SkipUpToDateStep.executeBecause(SkipUpToDateStep.java:102)
23:45:13 at org.gradle.internal.execution.steps.SkipUpToDateStep.lambda$execute$0(SkipUpToDateStep.java:95)
23:45:13 at java.base/java.util.Optional.map(Optional.java:265)
23:45:13 at org.gradle.internal.execution.steps.SkipUpToDateStep.execute(SkipUpToDateStep.java:55)
23:45:13 at org.gradle.internal.execution.steps.SkipUpToDateStep.execute(SkipUpToDateStep.java:39)
23:45:13 at org.gradle.internal.execution.steps.ResolveChangesStep.execute(ResolveChangesStep.java:83)
23:45:13 at org.gradle.internal.execution.steps.ResolveChangesStep.execute(ResolveChangesStep.java:44)
23:45:13 at org.gradle.internal.execution.steps.legacy.MarkSnapshottingInputsFinishedStep.execute(MarkSnapshottingInputsFinishedStep.java:37)
23:45:13 at org.gradle.internal.execution.steps.legacy.MarkSnapshottingInputsFinishedStep.execute(MarkSnapshottingInputsFinishedStep.java:27)
23:45:13 at org.gradle.internal.execution.steps.ResolveCachingStateStep.execute(ResolveCachingStateStep.java:96)
23:45:13 at org.gradle.internal.execution.steps.ResolveCachingStateStep.execute(ResolveCachingStateStep.java:52)
23:45:13 at org.gradle.internal.execution.steps.CaptureStateBeforeExecutionStep.execute(CaptureStateBeforeExecutionStep.java:83)
23:45:13 at org.gradle.internal.execution.steps.CaptureStateBeforeExecutionStep.execute(CaptureStateBeforeExecutionStep.java:54)
23:45:13 at org.gradle.internal.execution.steps.ValidateStep.execute(ValidateStep.java:74)
23:45:13 at org.gradle.internal.execution.steps.SkipEmptyWorkStep.lambda$execute$2(SkipEmptyWorkStep.java:88)
23:45:13 at java.base/java.util.Optional.orElseGet(Optional.java:369)
23:45:13 at org.gradle.internal.execution.steps.SkipEmptyWorkStep.execute(SkipEmptyWorkStep.java:88)
23:45:13 at org.gradle.internal.execution.steps.SkipEmptyWorkStep.execute(SkipEmptyWorkStep.java:34)
23:45:13 at org.gradle.internal.execution.steps.legacy.MarkSnapshottingInputsStartedStep.execute(MarkSnapshottingInputsStartedStep.java:38)
23:45:13 at org.gradle.internal.execution.steps.LoadExecutionStateStep.execute(LoadExecutionStateStep.java:46)
23:45:13 at org.gradle.internal.execution.steps.LoadExecutionStateStep.execute(LoadExecutionStateStep.java:34)
23:45:13 at org.gradle.internal.execution.steps.AssignWorkspaceStep.lambda$execute$0(AssignWorkspaceStep.java:43)
23:45:13 at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter$TaskExecution$3.withWorkspace(ExecuteActionsTaskExecuter.java:286)
23:45:13 at org.gradle.internal.execution.steps.AssignWorkspaceStep.execute(AssignWorkspaceStep.java:43)
23:45:13 at org.gradle.internal.execution.steps.AssignWorkspaceStep.execute(AssignWorkspaceStep.java:33)
23:45:13 at org.gradle.internal.execution.steps.IdentityCacheStep.execute(IdentityCacheStep.java:40)
23:45:13 at org.gradle.internal.execution.steps.IdentityCacheStep.execute(IdentityCacheStep.java:30)
23:45:13 at org.gradle.internal.execution.steps.IdentifyStep.execute(IdentifyStep.java:54)
23:45:13 at org.gradle.internal.execution.steps.IdentifyStep.execute(IdentifyStep.java:40)
23:45:13 at org.gradle.internal.execution.impl.DefaultExecutionEngine.rebuild(DefaultExecutionEngine.java:46)
23:45:13 at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.lambda$executeIfValid$0(ExecuteActionsTaskExecuter.java:182)
23:45:13 at java.base/java.util.Optional.map(Optional.java:265)
23:45:13 at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeIfValid(ExecuteActionsTaskExecuter.java:182)
23:45:13 at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.execute(ExecuteActionsTaskExecuter.java:173)
23:45:13 at org.gradle.api.internal.tasks.execution.CleanupStaleOutputsExecuter.execute(CleanupStaleOutputsExecuter.java:109)
23:45:13 at org.gradle.api.internal.tasks.execution.FinalizePropertiesTaskExecuter.execute(FinalizePropertiesTaskExecuter.java:46)
23:45:13 at org.gradle.api.internal.tasks.execution.ResolveTaskExecutionModeExecuter.execute(ResolveTaskExecutionModeExecuter.java:62)
23:45:13 at org.gradle.api.internal.tasks.execution.SkipTaskWithNoActionsExecuter.execute(SkipTaskWithNoActionsExecuter.java:57)
23:45:13 at org.gradle.api.internal.tasks.execution.SkipOnlyIfTaskExecuter.execute(SkipOnlyIfTaskExecuter.java:56)
23:45:13 at org.gradle.api.internal.tasks.execution.CatchExceptionTaskExecuter.execute(CatchExceptionTaskExecuter.java:36)
23:45:13 at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.executeTask(EventFiringTaskExecuter.java:77)
23:45:13 at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.call(EventFiringTaskExecuter.java:55)
23:45:13 at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.call(EventFiringTaskExecuter.java:52)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:200)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:195)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationRunner$3.execute(DefaultBuildOperationRunner.java:75)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationRunner$3.execute(DefaultBuildOperationRunner.java:68)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:153)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:68)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationRunner.call(DefaultBuildOperationRunner.java:62)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationExecutor.lambda$call$2(DefaultBuildOperationExecutor.java:76)
23:45:13 at org.gradle.internal.operations.UnmanagedBuildOperationWrapper.callWithUnmanagedSupport(UnmanagedBuildOperationWrapper.java:54)
23:45:13 at org.gradle.internal.operations.DefaultBuildOperationExecutor.call(DefaultBuildOperationExecutor.java:76)
23:45:13 at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter.execute(EventFiringTaskExecuter.java:52)
23:45:13 at org.gradle.execution.plan.LocalTaskNodeExecutor.execute(LocalTaskNodeExecutor.java:41)
23:45:13 at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$InvokeNodeExecutorsAction.execute(DefaultTaskExecutionGraph.java:411)
23:45:13 at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$InvokeNodeExecutorsAction.execute(DefaultTaskExecutionGraph.java:398)
23:45:13 at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareExecutionAction.execute(DefaultTaskExecutionGraph.java:391)
23:45:13 at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareExecutionAction.execute(DefaultTaskExecutionGraph.java:377)
23:45:13 at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.lambda$run$0(DefaultPlanExecutor.java:127)
23:45:13 at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.execute(DefaultPlanExecutor.java:191)
23:45:13 at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.executeNextNode(DefaultPlanExecutor.java:182)
23:45:13 at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.run(DefaultPlanExecutor.java:124)
23:45:13 at org.gradle.internal.concurrent.ExecutorPolicy$CatchAndRecordFailures.onExecute(ExecutorPolicy.java:64)
23:45:13 at org.gradle.internal.concurrent.ManagedExecutorImpl$1.run(ManagedExecutorImpl.java:48)
23:45:13 at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
23:45:13 at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
23:45:13 at org.gradle.internal.concurrent.ThreadFactoryImpl$ManagedThreadRunnable.run(ThreadFactoryImpl.java:56)
23:45:13 at java.base/java.lang.Thread.run(Thread.java:834)
23:45:13 Caused by: java.util.concurrent.ExecutionException: java.lang.NullPointerException
23:45:13 at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
23:45:13 at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
23:45:13 at org.owasp.dependencycheck.data.update.NvdCveUpdater.performUpdate(NvdCveUpdater.java:307)
23:45:13 ... 140 more
23:45:13 Caused by: java.lang.NullPointerException
23:45:13 at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerabilityInsertReferences(CveDB.java:1173)
23:45:13 at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability(CveDB.java:859)
23:45:13 at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.parse(NvdCveParser.java:97)
23:45:13 at org.owasp.dependencycheck.data.update.nvd.ProcessTask.importJSON(ProcessTask.java:139)
23:45:13 at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles(ProcessTask.java:152)
23:45:13 at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:113)
23:45:13 at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:40)
23:45:13 at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
23:45:13 at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
23:45:13 at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
23:45:13 ... 1 more
23:45:13 Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
23:45:13 Unable to continue dependency-check analysis.
23:45:14
23:45:14 > Task :dependencyCheckAnalyze FAILED
mark-senne
All 37 comments
I just ran into the same issue with version 5.2.4. Info level logging in gradle reveals the CPE that caused the problem.
Download Complete for NVD CVE - 2020 (2172 ms)
Processing Started for NVD CVE - 2020
> Task :dependencyCheckAnalyze
org.owasp.dependencycheck.data.nvdcve.DatabaseException: Unable to parse CPE: cpe:2.3:a:codeblocks:code::blocks:17.12:*:*:*:*:*:*:*
org.owasp.dependencycheck.data.update.exception.UpdateException: org.owasp.dependencycheck.data.nvdcve.DatabaseException: Unable to parse CPE: cpe:2.3:a:codeblocks:code::blocks:17.12:*:*:*:*:*:*:*
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles(ProcessTask.java:156)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:113)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:40)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: org.owasp.dependencycheck.data.nvdcve.DatabaseException: Unable to parse CPE: cpe:2.3:a:codeblocks:code::blocks:17.12:*:*:*:*:*:*:*
at org.owasp.dependencycheck.data.nvdcve.CveDB.parseCpe(CveDB.java:1437)
at org.owasp.dependencycheck.data.nvdcve.CveDB.lambda$parseCpes$5(CveDB.java:1394)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1541)
at org.owasp.dependencycheck.data.nvdcve.CveDB.parseCpes(CveDB.java:1393)
at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability(CveDB.java:953)
at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.parse(NvdCveParser.java:99)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.importJSON(ProcessTask.java:139)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles(ProcessTask.java:152)
... 6 more
Caused by: us.springett.parsers.cpe.exceptions.CpeParsingException: Invalid CPE (too many components): cpe:2.3:a:codeblocks:code::blocks:17.12:*:*:*:*:*:*:*
at us.springett.parsers.cpe.CpeParser.parse23(CpeParser.java:225)
at us.springett.parsers.cpe.CpeParser.parse(CpeParser.java:77)
at org.owasp.dependencycheck.data.nvdcve.CveDB.parseCpe(CveDB.java:1427)
... 13 more
A new version of dependency-check is available. Consider updating to version 6.1.5.
quintonm
on 22 Apr 2021
Same with 6.1.5 command line, it appears to be an issue with the NVD files. This is the same issue from https://github.com/jeremylong/DependencyCheck/issues/3306
AlexUmrysh
on 22 Apr 2021
I confirm @AlexUmrysh 's finding, and I have a workaround. Point to this mirror like this:
<configuration>
<cveUrlModified>https://freedumbytes.gitlab.io/setup/nist-nvd-mirror/nvdcve-1.1-modified.json.gz</cveUrlModified>
<cveUrlBase>https://freedumbytes.gitlab.io/setup/nist-nvd-mirror/nvdcve-1.1-%d.json.gz</cveUrlBase>
</configuration>
injcristianrojas
on 22 Apr 2021
A colleague helped me diff the files and found this example of a change:
NIST NVD (live as of now):
➜ ~ curl --silent https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2008.json.gz | gunzip | grep -r -F "cpe:2.3:a:perl:file"
(standard input): "cpe23Uri" : "cpe:2.3:a:perl:file::path:1.08:*:*:*:*:*:*:*",
(standard input): "cpe23Uri" : "cpe:2.3:a:perl:file::path:2.07:*:*:*:*:*:*:*",
(standard input): "cpe23Uri" : "cpe:2.3:a:perl:file::path:1.08:*:*:*:*:*:*:*",
The above 3P mirror (last updated 2-22 according to the META files) (note the \\'s):
➜ ~ curl --silent https://freedumbytes.gitlab.io/setup/nist-nvd-mirror/nvdcve-1.1-2008.json.gz | gunzip | grep -r -F "cpe:2.3:a:perl:file"
(standard input): "cpe23Uri" : "cpe:2.3:a:perl:file\\:\\:path:1.08:*:*:*:*:*:*:*"
(standard input): "cpe23Uri" : "cpe:2.3:a:perl:file\\:\\:path:2.07:*:*:*:*:*:*:*"
(standard input): "cpe23Uri" : "cpe:2.3:a:perl:file\\:\\:path:1.08:*:*:*:*:*:*:*"
I'm not sure if there are other types of changes.
petedoyle
on 22 Apr 2021
Another "too many components" stacktrace, for CPE cpe:2.3:a:cgiirc:cgi:irc:0.5.7:*:*:*:*:*:*:*:
org.owasp.dependencycheck.data.nvdcve.DatabaseException: Unable to parse CPE: cpe:2.3:a:cgiirc:cgi:irc:0.5.7:*:*:*:*:*:*:*
org.owasp.dependencycheck.data.update.exception.UpdateException: org.owasp.dependencycheck.data.nvdcve.DatabaseException: Unable to parse CPE: cpe:2.3:a:cgiirc:cgi:irc:0.5.7:*:*:*:*:*:*:*
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles(ProcessTask.java:156)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:113)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:40)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:749)
Caused by: org.owasp.dependencycheck.data.nvdcve.DatabaseException: Unable to parse CPE: cpe:2.3:a:cgiirc:cgi:irc:0.5.7:*:*:*:*:*:*:*
at org.owasp.dependencycheck.data.nvdcve.CveDB.parseCpe(CveDB.java:1341)
at org.owasp.dependencycheck.data.nvdcve.CveDB.lambda$parseCpes$3(CveDB.java:1298)
at java.util.ArrayList.forEach(ArrayList.java:1259)
at org.owasp.dependencycheck.data.nvdcve.CveDB.parseCpes(CveDB.java:1297)
at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability(CveDB.java:880)
at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.parse(NvdCveParser.java:99)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.importJSON(ProcessTask.java:139)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles(ProcessTask.java:152)
... 6 more
Caused by: us.springett.parsers.cpe.exceptions.CpeParsingException: Invalid CPE (too many components): cpe:2.3:a:cgiirc:cgi:irc:0.5.7:*:*:*:*:*:*:*
at us.springett.parsers.cpe.CpeParser.parse23(CpeParser.java:225)
at us.springett.parsers.cpe.CpeParser.parse(CpeParser.java:77)
at org.owasp.dependencycheck.data.nvdcve.CveDB.parseCpe(CveDB.java:1331)
... 13 more
Seems to be in the 2011 file (new since https://freedumbytes.gitlab.io was last updated on 2-22):
➜ ~ curl --silent https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2011.json.gz | gunzip | grep -r -F "cpe:2.3:a:cgiirc:cgi:irc:0.5.7"
(standard input): "cpe23Uri" : "cpe:2.3:a:cgiirc:cgi:irc:0.5.7:*:*:*:*:*:*:*",
Hi
since this morning I also got an error when running dependency-check-maven, however resulting in an different error (however may be related as it also hints to broken nist data from 2021):
org.owasp.dependencycheck.data.update.exception.UpdateException: The execution of the download was interrupted
at org.owasp.dependencycheck.data.update.NvdCveUpdater.performUpdate (NvdCveUpdater.java:317)
at org.owasp.dependencycheck.data.update.NvdCveUpdater.update (NvdCveUpdater.java:125)
at org.owasp.dependencycheck.Engine.doUpdates (Engine.java:860)
at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase (Engine.java:667)
at org.owasp.dependencycheck.Engine.analyzeDependencies (Engine.java:593)
at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1660)
at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:929)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.jvnet.hudson.maven3.launcher.Maven35Launcher.main (Maven35Launcher.java:130)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:566)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
at jenkins.maven3.agent.Maven35Main.launch (Maven35Main.java:178)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:566)
at hudson.maven.Maven3Builder.call (Maven3Builder.java:139)
at hudson.maven.Maven3Builder.call (Maven3Builder.java:70)
at hudson.remoting.UserRequest.perform (UserRequest.java:211)
at hudson.remoting.UserRequest.perform (UserRequest.java:54)
at hudson.remoting.Request$2.run (Request.java:375)
at hudson.remoting.InterceptingExecutorService$1.call (InterceptingExecutorService.java:73)
at java.util.concurrent.FutureTask.run (FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:834)
Caused by: java.util.concurrent.ExecutionException: java.lang.NullPointerException
at java.util.concurrent.FutureTask.report (FutureTask.java:122)
at java.util.concurrent.FutureTask.get (FutureTask.java:191)
at org.owasp.dependencycheck.data.update.NvdCveUpdater.performUpdate (NvdCveUpdater.java:307)
at org.owasp.dependencycheck.data.update.NvdCveUpdater.update (NvdCveUpdater.java:125)
at org.owasp.dependencycheck.Engine.doUpdates (Engine.java:860)
at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase (Engine.java:667)
at org.owasp.dependencycheck.Engine.analyzeDependencies (Engine.java:593)
at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1660)
at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:929)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.jvnet.hudson.maven3.launcher.Maven35Launcher.main (Maven35Launcher.java:130)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:566)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
at jenkins.maven3.agent.Maven35Main.launch (Maven35Main.java:178)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:566)
at hudson.maven.Maven3Builder.call (Maven3Builder.java:139)
at hudson.maven.Maven3Builder.call (Maven3Builder.java:70)
at hudson.remoting.UserRequest.perform (UserRequest.java:211)
at hudson.remoting.UserRequest.perform (UserRequest.java:54)
at hudson.remoting.Request$2.run (Request.java:375)
at hudson.remoting.InterceptingExecutorService$1.call (InterceptingExecutorService.java:73)
at java.util.concurrent.FutureTask.run (FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:834)
Caused by: java.lang.NullPointerException
at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerabilityInsertReferences (CveDB.java:1173)
at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability (CveDB.java:859)
at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.parse (NvdCveParser.java:97)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.importJSON (ProcessTask.java:139)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles (ProcessTask.java:152)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call (ProcessTask.java:113)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call (ProcessTask.java:40)
at java.util.concurrent.FutureTask.run (FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:834)
[INFO] Skipping RetireJS update since last update was within 24 hours.
(dependency-check-maven:6.1.5)
after purging and repopulating my nvdmirror I got an different exception:
[INFO] Download Complete for NVD CVE - 2016 (664 ms)
[INFO] Download Started for NVD CVE - 2018
[INFO] Download Complete for NVD CVE - 2017 (706 ms)
[INFO] Processing Started for NVD CVE - 2016
[INFO] Processing Started for NVD CVE - 2017
[INFO] Download Started for NVD CVE - 2019
[INFO] Download Complete for NVD CVE - 2018 (823 ms)
[INFO] Processing Started for NVD CVE - 2018
[INFO] Download Started for NVD CVE - 2020
[INFO] Download Complete for NVD CVE - 2019 (1124 ms)
[INFO] Download Started for NVD CVE - 2021
[INFO] Processing Started for NVD CVE - 2019
[INFO] Download Complete for NVD CVE - 2021 (230 ms)
[INFO] Processing Started for NVD CVE - 2021
[INFO] Download Complete for NVD CVE - 2020 (860 ms)
[INFO] Processing Started for NVD CVE - 2020
[ERROR] java.util.concurrent.ExecutionException: java.lang.NullPointerException
org.owasp.dependencycheck.data.update.exception.UpdateException: java.util.concurrent.ExecutionException: java.lang.NullPointerException
at org.owasp.dependencycheck.data.update.NvdCveUpdater.performUpdate (NvdCveUpdater.java:298)
at org.owasp.dependencycheck.data.update.NvdCveUpdater.update (NvdCveUpdater.java:125)
at org.owasp.dependencycheck.Engine.doUpdates (Engine.java:860)
at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase (Engine.java:667)
at org.owasp.dependencycheck.Engine.analyzeDependencies (Engine.java:593)
at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1660)
at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:929)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.jvnet.hudson.maven3.launcher.Maven35Launcher.main (Maven35Launcher.java:130)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:566)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
at jenkins.maven3.agent.Maven35Main.launch (Maven35Main.java:178)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:566)
at hudson.maven.Maven3Builder.call (Maven3Builder.java:139)
at hudson.maven.Maven3Builder.call (Maven3Builder.java:70)
at hudson.remoting.UserRequest.perform (UserRequest.java:211)
at hudson.remoting.UserRequest.perform (UserRequest.java:54)
at hudson.remoting.Request$2.run (Request.java:375)
at hudson.remoting.InterceptingExecutorService$1.call (InterceptingExecutorService.java:73)
at java.util.concurrent.FutureTask.run (FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:834)
Caused by: java.util.concurrent.ExecutionException: java.lang.NullPointerException
at java.util.concurrent.FutureTask.report (FutureTask.java:122)
at java.util.concurrent.FutureTask.get (FutureTask.java:191)
at org.owasp.dependencycheck.data.update.NvdCveUpdater.performUpdate (NvdCveUpdater.java:288)
at org.owasp.dependencycheck.data.update.NvdCveUpdater.update (NvdCveUpdater.java:125)
at org.owasp.dependencycheck.Engine.doUpdates (Engine.java:860)
at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase (Engine.java:667)
at org.owasp.dependencycheck.Engine.analyzeDependencies (Engine.java:593)
at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1660)
at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:929)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.jvnet.hudson.maven3.launcher.Maven35Launcher.main (Maven35Launcher.java:130)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:566)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
at jenkins.maven3.agent.Maven35Main.launch (Maven35Main.java:178)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:566)
at hudson.maven.Maven3Builder.call (Maven3Builder.java:139)
at hudson.maven.Maven3Builder.call (Maven3Builder.java:70)
at hudson.remoting.UserRequest.perform (UserRequest.java:211)
at hudson.remoting.UserRequest.perform (UserRequest.java:54)
at hudson.remoting.Request$2.run (Request.java:375)
at hudson.remoting.InterceptingExecutorService$1.call (InterceptingExecutorService.java:73)
at java.util.concurrent.FutureTask.run (FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:834)
Caused by: java.lang.NullPointerException
at org.owasp.dependencycheck.data.nvd.ecosystem.UrlEcosystemMapper.getEcosystem (UrlEcosystemMapper.java:68)
at org.owasp.dependencycheck.data.nvd.ecosystem.CveEcosystemMapper.getEcosystem (CveEcosystemMapper.java:74)
at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.parse (NvdCveParser.java:97)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.importJSON (ProcessTask.java:139)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles (ProcessTask.java:152)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call (ProcessTask.java:113)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call (ProcessTask.java:40)
at java.util.concurrent.FutureTask.run (FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:834)
I did not look too deep into it, but my impression is that UrlEcosystemMapper.java needs a reference for each cve:
61 /**
62 * Determines the ecosystem for the given CVE.
63 *
64 * @param cve the CVE data
65 * @return the ecosystem
66 */
67 public String getEcosystem(DefCveItem cve) {
68 for (Reference r : cve.getCve().getReferences().getReferenceData()) {
69
70 final Hit<String> ecosystem = search.findFirst(r.getUrl());
71 if (ecosystem != null) {
72 return ecosystem.value;
73 }
74 }
75 return null;
76 }
(at least if I googled the correct version of the class).
This however is apparently not the case:
$ grep '"cve"' nvdcve-1.1-2021.json | wc -l
3658
$ grep '"references"' nvdcve-1.1-2021.json | wc -l
3645
Maybe this can also shed a light on the issue.
benjamin-sailer
on 22 Apr 2021
Same problem for maven plugin version 6.1.5
javaguruen
on 22 Apr 2021
CveDB.java:
try (PreparedStatement insertReference = prepareStatement(INSERT_REFERENCE)) {
if (insertReference == null) {
throw new SQLException("Database query does not exist in the resource bundle: " + INSERT_REFERENCE);
}
for (Reference r : cve.getCve().getReferences().getReferenceData()) { // <-- (Line 1173)
insertReference.setInt(1, vulnerabilityId);
insertReference.setString(2, r.getName());
insertReference.setString(3, r.getUrl());
insertReference.setString(4, r.getRefsource());
if (isBatchInsertEnabled()) {
insertReference.addBatch();
} else {
insertReference.execute();
}
}
if (isBatchInsertEnabled()) {
insertReference.executeBatch();
}
}
}
also hints to getReferences() yields null
benjamin-sailer
on 22 Apr 2021
Seems that all cve entries without reference are somehow revoked ("rejected") entries:
cat nvdcve-1.1-2021.json | jq '.CVE_Items[].cve | { "cve": ., "has_reference": has("references")} | select(.has_reference == false) | { "cve": .cve }' > no-reference.json
produces:
{
"cve": {
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-20189",
"ASSIGNER": "[email protected]"
},
"problemtype": {
"problemtype_data": [
{
"description": []
}
]
},
"description": {
"description_data": [
{
"lang": "en",
"value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none."
}
]
}
}
}
{
"cve": {
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-20207",
"ASSIGNER": "[email protected]"
},
"problemtype": {
"problemtype_data": [
{
"description": []
}
]
},
"description": {
"description_data": [
{
"lang": "en",
"value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs:CVE-2021-3348. Reason: This candidate is a reservation duplicate of CVE-2021-3348. Notes: All CVE users should reference CVE-2021-3348 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage."
}
]
}
}
}
{
"cve": {
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-26959",
"ASSIGNER": "[email protected]"
},
"problemtype": {
"problemtype_data": [
{
"description": []
}
]
},
"description": {
"description_data": [
{
"lang": "en",
"value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-21299. Reason: This candidate is a duplicate of CVE-2021-21299. Notes: All CVE users should reference CVE-2021-21299 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage."
}
]
}
}
}
{
"cve": {
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-20242",
"ASSIGNER": "[email protected]"
},
"problemtype": {
"problemtype_data": [
{
"description": []
}
]
},
"description": {
"description_data": [
{
"lang": "en",
"value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-20176. Reason: This candidate is a reservation duplicate of CVE-2021-20176. Notes: All CVE users should reference CVE-2021-20176 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage."
}
]
}
}
}
{
"cve": {
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-20200",
"ASSIGNER": "[email protected]"
},
"problemtype": {
"problemtype_data": [
{
"description": []
}
]
},
"description": {
"description_data": [
{
"lang": "en",
"value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none."
}
]
}
}
}
{
"cve": {
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-0384",
"ASSIGNER": "[email protected]"
},
"problemtype": {
"problemtype_data": [
{
"description": []
}
]
},
"description": {
"description_data": [
{
"lang": "en",
"value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none."
}
]
}
}
}
{
"cve": {
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-23361",
"ASSIGNER": "[email protected]"
},
"problemtype": {
"problemtype_data": [
{
"description": []
}
]
},
"description": {
"description_data": [
{
"lang": "en",
"value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none."
}
]
}
}
}
{
"cve": {
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-22493",
"ASSIGNER": "[email protected]"
},
"problemtype": {
"problemtype_data": [
{
"description": []
}
]
},
"description": {
"description_data": [
{
"lang": "en",
"value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-25346. Reason: This candidate is a duplicate of CVE-2021-25346. Notes: All CVE users should reference CVE-2021-25346 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage."
}
]
}
}
}
{
"cve": {
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-3142",
"ASSIGNER": "[email protected]"
},
"problemtype": {
"problemtype_data": [
{
"description": []
}
]
},
"description": {
"description_data": [
{
"lang": "en",
"value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-35128. Reason: This candidate is a reservation duplicate of CVE-2020-35128. Notes: All CVE users should reference CVE-2020-35128 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage."
}
]
}
}
}
{
"cve": {
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-3419",
"ASSIGNER": "[email protected]"
},
"problemtype": {
"problemtype_data": [
{
"description": []
}
]
},
"description": {
"description_data": [
{
"lang": "en",
"value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none."
}
]
}
}
}
{
"cve": {
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-3465",
"ASSIGNER": "[email protected]"
},
"problemtype": {
"problemtype_data": [
{
"description": []
}
]
},
"description": {
"description_data": [
{
"lang": "en",
"value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none."
}
]
}
}
}
{
"cve": {
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-3471",
"ASSIGNER": "[email protected]"
},
"problemtype": {
"problemtype_data": [
{
"description": []
}
]
},
"description": {
"description_data": [
{
"lang": "en",
"value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none."
}
]
}
}
}
{
"cve": {
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-30138",
"ASSIGNER": "[email protected]"
},
"problemtype": {
"problemtype_data": [
{
"description": []
}
]
},
"description": {
"description_data": [
{
"lang": "en",
"value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none."
}
]
}
}
}
Not a duplicate from the error message, but maybe related:
https://github.com/jeremylong/DependencyCheck/issues/3310
nudgegoonies
on 22 Apr 2021
Am getting the following error when the owasp dependency check is executed today (22nd Apr 2021):
[ERROR] org.owasp.dependencycheck.data.nvdcve.DatabaseException: Unable to parse CPE: cpe:2.3:a:jenkins:pipeline:_groovy::::::jenkins::*
org.owasp.dependencycheck.data.update.exception.UpdateException: org.owasp.dependencycheck.data.nvdcve.DatabaseException: Unable to parse CPE: cpe:2.3:a:jenkins:pipeline:_groovy::::::jenkins::*
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles(ProcessTask.java:156)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:113)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:40)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.owasp.dependencycheck.data.nvdcve.DatabaseException: Unable to parse CPE: cpe:2.3:a:jenkins:pipeline:_groovy::::::jenkins::*
at org.owasp.dependencycheck.data.nvdcve.CveDB.parseCpe(CveDB.java:1218)
at org.owasp.dependencycheck.data.nvdcve.CveDB.lambda$parseCpes$3(CveDB.java:1175)
at java.util.ArrayList.forEach(ArrayList.java:1259)
at org.owasp.dependencycheck.data.nvdcve.CveDB.parseCpes(CveDB.java:1174)
at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability(CveDB.java:839)
at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.parse(NvdCveParser.java:101)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.importJSON(ProcessTask.java:139)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles(ProcessTask.java:152)
... 6 common frames omitted
Caused by: us.springett.parsers.cpe.exceptions.CpeParsingException: Invalid CPE (too many components): cpe:2.3:a:jenkins:pipeline:_groovy::::::jenkins::*
at us.springett.parsers.cpe.CpeParser.parse23(CpeParser.java:225)
at us.springett.parsers.cpe.CpeParser.parse(CpeParser.java:77)
at org.owasp.dependencycheck.data.nvdcve.CveDB.parseCpe(CveDB.java:1208)
... 13 common frames omitted
[WARN] A new version of dependency-check is available. Consider updating to version 6.1.5.
[WARN] Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
[ERROR] Unable to continue dependency-check analysis.
[ERROR] One or more fatal errors occurred
[ERROR] org.owasp.dependencycheck.data.nvdcve.DatabaseException: Unable to parse CPE: cpe:2.3:a:jenkins:pipeline:_groovy::::::jenkins::*
[ERROR] No documents exist
veena-omes
on 22 Apr 2021
Root cause is likely an error with NIST data feeds per: https://twitter.com/NISTcyber/status/1384935382555537409
philipwhiuk
on 22 Apr 2021
Sounds like NIST is getting closer to fixing the data sources:
We have resolved the issue where data feed files were not properly replicating to their intended destinations. However, we are currently investigating and working towards a resolution for multiple unintended formatting changes to the JSON feeds that have been reported by others.
iloabn
on 22 Apr 2021
Just tried with a fresh download from NIST, but still the issue:
16:02:46 Caused by: org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions occurred during analysis:
16:02:46 UpdateException: org.owasp.dependencycheck.data.nvdcve.DatabaseException: Unable to parse CPE: cpe:2.3:a:xt-commerce:xt:commerce:3.0.4:*:*:*:*:*:*:*
16:02:46 caused by DatabaseException: Unable to parse CPE: cpe:2.3:a:xt-commerce:xt:commerce:3.0.4:*:*:*:*:*:*:*
16:02:46 caused by CpeParsingException: Invalid CPE (too many components): cpe:2.3:a:xt-commerce:xt:commerce:3.0.4:*:*:*:*:*:*:*
16:02:46 NoDataException: No documents exist
So I guess we have to wait.
rmontag-dvt
on 22 Apr 2021
one workaround which ive done is by using a -DautoUpdate=false flag, preventing my dependencycheck to pull a fresh update from NIST.
mvn org.owasp:dependency-check-maven:check -DfailBuildOnCVSS=7 -s settings.xml -DautoUpdate=false
need an existing odc.mv.db on your .m2 folder tho
edwin
on 22 Apr 2021
built an https://hub.docker.com/r/nicolnx/dependency-check for rpaasche/DependencyCheck fork where this issue seems to be mitigated with latest commits, update works (with lots of warnings, but doesn't fail)
nicolnx
on 22 Apr 2021
Just checked now. Still broken
jvans
on 22 Apr 2021
Using org.owasp:dependency-check-maven across 3 different projects in the last 30ish minutes.
v5.3.0 & 5.3.2 getting:
org.owasp.dependencycheck.data.update.exception.UpdateException: org.owasp.dependencycheck.data.nvdcve.DatabaseException: Unable to parse CPE: cpe:2.3:a:codeblocks:code::blocks:17.12:*:*:*:*:*:*:*
v6.1.5 gettting:
org.owasp.dependencycheck.data.update.exception.UpdateException: java.util.concurrent.ExecutionException: java.lang.NullPointerException
djmonki
on 22 Apr 2021
Same problem with all of our projects
irineuruiz
on 22 Apr 2021
Before purging local cache:
[ERROR] The execution of the download was interrupted
org.owasp.dependencycheck.data.update.exception.UpdateException: The execution of the download was interrupted
.......
Caused by: java.util.concurrent.ExecutionException: java.lang.NullPointerException
After purging local cache:
Caused by: us.springett.parsers.cpe.exceptions.CpeParsingException: Invalid CPE (too many components): cpe:2.3:a:xt-commerce:xt:commerce:3.0.4:::::::*
arnabcse28
on 22 Apr 2021
Has anyone found a workaround?
[DependencyCheck] [INFO] Processing Started for NVD CVE - Modified
[DependencyCheck] [ERROR] The execution of the download was interrupted
[DependencyCheck] org.owasp.dependencycheck.data.update.exception.UpdateException: The execution of the download was interrupted
[DependencyCheck] at org.owasp.dependencycheck.data.update.NvdCveUpdater.performUpdate(NvdCveUpdater.java:317)
[DependencyCheck] at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:125)
[DependencyCheck] at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:922)
[DependencyCheck] at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:723)
[DependencyCheck] at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:653)
[DependencyCheck] at org.owasp.dependencycheck.App.runScan(App.java:251)
[DependencyCheck] at org.owasp.dependencycheck.App.run(App.java:183)
[DependencyCheck] at org.owasp.dependencycheck.App.main(App.java:80)
[DependencyCheck] Caused by: java.util.concurrent.ExecutionException: java.lang.NullPointerException
[DependencyCheck] at java.util.concurrent.FutureTask.report(FutureTask.java:122)
[DependencyCheck] at java.util.concurrent.FutureTask.get(FutureTask.java:192)
[DependencyCheck] at org.owasp.dependencycheck.data.update.NvdCveUpdater.performUpdate(NvdCveUpdater.java:307)
[DependencyCheck] ... 7 common frames omitted
[DependencyCheck] Caused by: java.lang.NullPointerException: null
[DependencyCheck] at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerabilityInsertReferences(CveDB.java:1324)
rvalladares77
on 22 Apr 2021
Has anyone found a workaround?
4th post here: https://github.com/jeremylong/DependencyCheck/issues/3307#issuecomment-824452850
xtermi2
on 22 Apr 2021
@xtermi2 Thanks, it worked fine.
rvalladares77
on 22 Apr 2021
@rvalladares77 Where exactly did you add that configuration setting? I'm running the dependency checker container, and looking to implement this same workaround.
pmartindev
on 22 Apr 2021
@pmartindev I added it in my pom.xml thus:
<build>
<plugins>
<!-- other plugins -->
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>6.1.5</version>
<executions>
<execution>
<configuration>
<!-- temporary workaround as NIST is broken -->
<autoUpdate>false</autoUpdate>
</configuration>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
<!-- other plugins -->
</plugins>
</build>
Worked for me, many thanks @andreapoli!
davejbur
on 22 Apr 2021
Has anyone found a workaround?
4th post here: #3307 (comment)
The issue with using this mirror is 1) it's not one we can easily trust 2) it looks out of date.
I wonder are there any official sources for older versions of the DB?
sean-heller
on 22 Apr 2021
I couldn't find any issues on using the newer versions of the database. Is this considered and/or are they any objections to that?
nickstolwijk
on 22 Apr 2021
@pmartindev I am using Jenkins so I added these commands in the arguments section.
--cveUrlModified 'https://freedumbytes.gitlab.io/setup/nist-nvd-mirror/nvdcve-1.1-modified.json.gz'
--cveUrlBase 'https://freedumbytes.gitlab.io/setup/nist-nvd-mirror/nvdcve-1.1-2020.json.gz'
rvalladares77
on 22 Apr 2021
For those using the dependency checker cli, you simply need to add the --cveUrlModified and --cveUrlBase when you execute the shell command pointing to the respective redirect urls. It should look something like this:
/usr/share/dependency-check/bin/dependency-check.sh --project DependencyScan --out $OUTPUTDIR --scan $SCANDIR --prettyPrint --cveUrlBase $BASE_CVE_URL --cveUrlModified $MODIFIED_CVE_URL -f HTML -f JSON
pmartindev
on 22 Apr 2021
Looks like the issue has been resolved now for me...
I am using https://github.com/jeremylong/DependencyCheck/releases/download/v5.3.2/dependency-check-5.3.2-release.zip via Jenkins and it's working now for downloading updates (I verified that there's no version update in the dependency-check tool).
arnabcse28
on 23 Apr 2021
It appears NVD has fixed the issue. CLI 6.1.5 is now working for me.
AlexUmrysh
on 23 Apr 2021
I can confirm @AlexUmrysh's comment. Builds which were previously failing are now successfully updating the NVD database.
bmsq
on 23 Apr 2021
Last night it was still failing on my jobs. This morning I wanted to check for a workaround, but by the looks of it all seems to be fine again like it was 48 hours ago.
sgutermann
on 23 Apr 2021
Just executed builds with org.owasp:dependency-check-maven plugin across 3 different projects, they are now working without any issues, the following versions of the plugin have been checked:
- 5.3.0
- 5.3.2
- 6.1.5
djmonki
on 23 Apr 2021
Yes, I have removed the autoUpdate flag from my pom and can get a build once more.
davejbur
on 23 Apr 2021
I still have the issue, that the json files contains a wrong formatting. We are using nist-data-mirror and I did a complete fresh download of the files. But the files still contains invalid formating, e.g.
[jenkins@apwessnlnx049 data]$ grep "2.3:a:xt-commerce:xt" *nvdcve-1.1-2020.json
nvdcve-1.1-2020.json: "cpe23Uri" : "cpe:2.3:a:xt-commerce:xt\\:commerce:*:*:*:*:*:*:*:*",
Still those annoying "\\" in the files .
Can anybody confirm that this is the "correct" hash, e.g.
[jenkins@apwessnlnx049 data]$ cat nvdcve-1.1-2020.meta
lastModifiedDate:2021-04-23T03:05:00-04:00
size:93118694
zipSize:4778246
gzSize:4778110
sha256:BE5983487CF901790C1351795BE04BB58D74D3A4FB7747B8C465EC07A9CCBF27
Thanks, Rainer
rmontag-dvt
on 23 Apr 2021
This was resolved when the NVD corrected the data feeds.
jeremylong
on 23 Apr 2021
Related issues
OrangeDog
·
14Comments
Jayaramvenkat
·
19Comments
javixeneize
·
14Comments
alexanderkjall
·
21Comments
LeaderXFX
·
28Comments
Most helpful comment
Same problem for maven plugin version 6.1.5