ODC 1.4.4 fails with Maven (1.4.3 is OK)

110 views
Skip to first unread message

Vít Šesták

unread,
Nov 16, 2016, 8:30:02 AM11/16/16
to Dependency Check
Hello,
after updating to ODC 1.4.4, I have Maven builds that fail with an exception. Downgrading to 1.4.3 fixes this issue.

The exception:

java.lang.NullPointerException
    at org.owasp.dependencycheck.analyzer.CPEAnalyzer.searchCPE(CPEAnalyzer.java:295)
    at org.owasp.dependencycheck.analyzer.CPEAnalyzer.determineCPE(CPEAnalyzer.java:213)
    at org.owasp.dependencycheck.analyzer.CPEAnalyzer.analyze(CPEAnalyzer.java:520)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:90)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)

 The line seems to be `final TopDocs docs = cpe.search(searchString, MAX_QUERY_RESULTS);`. It seems that cpe == null, which should happen only if CPEAnalyzer.open() is not called or fails. (I don't count reflection or Unsafe magic.) Or if there is a race condition. (Well, I slightly suspect “Additionally, the analyzers were parallelized increasing performance.” (from changelog) to be responsible for this issue. However, these failures happen consistently.)

I have seen a similar issue in an older version, but upgrade has resolved it. In this case, the opposite is true, i.e. the upgrade broke this.

I don't see the issue in Gradle/CLI frontends for ODC, not sure why.

Any idea what is wrong?

Regards,
Vít Šesták 'v6ak'

Jeremy Long

unread,
Nov 18, 2016, 6:52:11 AM11/18/16
to Vít Šesták, Dependency Check
Thanks for reporting this.  I have an idea of what is going on; I just have to figure out what the best fix option is...  The Maven plugin extends the core engine so that certain tasks are only performed once on a multi-module build (such as the update).

Also, any chance you've made your maven build to use parallel execution (https://zeroturnaround.com/rebellabs/your-maven-build-is-slow-speed-it-up/)?

--Jeremy

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Vít Šesták

unread,
Nov 18, 2016, 8:23:56 AM11/18/16
to Dependency Check, groups-no-private-mail--con...@v6ak.com
I haven't enabled parallel builds, at least not by Maven argument.

However, it seems to be related to multi-module builds. Roughly looking, there seems to be at least some correlation with project having multiple modules.

Regards,
Vít Šesták 'v6ak'


On Friday, November 18, 2016 at 12:52:11 PM UTC+1, Jeremy Long wrote:
Thanks for reporting this.  I have an idea of what is going on; I just have to figure out what the best fix option is...  The Maven plugin extends the core engine so that certain tasks are only performed once on a multi-module build (such as the update).

Also, any chance you've made your maven build to use parallel execution (https://zeroturnaround.com/rebellabs/your-maven-build-is-slow-speed-it-up/)?

--Jeremy
On Wed, Nov 16, 2016 at 8:30 AM, Vít Šesták <…> wrote:
Hello,
after updating to ODC 1.4.4, I have Maven builds that fail with an exception. Downgrading to 1.4.3 fixes this issue.

The exception:

java.lang.NullPointerException
    at org.owasp.dependencycheck.analyzer.CPEAnalyzer.searchCPE(CPEAnalyzer.java:295)
    at org.owasp.dependencycheck.analyzer.CPEAnalyzer.determineCPE(CPEAnalyzer.java:213)
    at org.owasp.dependencycheck.analyzer.CPEAnalyzer.analyze(CPEAnalyzer.java:520)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:90)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)

 The line seems to be `final TopDocs docs = cpe.search(searchString, MAX_QUERY_RESULTS);`. It seems that cpe == null, which should happen only if CPEAnalyzer.open() is not called or fails. (I don't count reflection or Unsafe magic.) Or if there is a race condition. (Well, I slightly suspect “Additionally, the analyzers were parallelized increasing performance.” (from changelog) to be responsible for this issue. However, these failures happen consistently.)

I have seen a similar issue in an older version, but upgrade has resolved it. In this case, the opposite is true, i.e. the upgrade broke this.

I don't see the issue in Gradle/CLI frontends for ODC, not sure why.

Any idea what is wrong?

Regards,
Vít Šesták 'v6ak'

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.

Alix Lourme

unread,
Nov 21, 2016, 5:52:38 PM11/21/16
to Dependency Check, groups-no-private-mail--con...@v6ak.com
Hi,

Not exactly the same exception, but same symptom : v1.4.4 fails on Maven multi-modules projects (works fine with v1.4.3) : detail : #617

Best regards.

Vít Šesták

unread,
Nov 22, 2016, 1:55:11 AM11/22/16
to Dependency Check
Well, this might be exactly the same issue. I've seen a similar Exception. The one I've reported is the topmost one.

Regards,
Vít Šesták 'v6ak'
Reply all
Reply to author
Forward
0 new messages