Hello,
after updating to ODC 1.4.4, I have Maven builds that fail with an exception. Downgrading to 1.4.3 fixes this issue.
The exception:
java.lang.NullPointerException
at org.owasp.dependencycheck.analyzer.CPEAnalyzer.searchCPE(CPEAnalyzer.java:295)
at org.owasp.dependencycheck.analyzer.CPEAnalyzer.determineCPE(CPEAnalyzer.java:213)
at org.owasp.dependencycheck.analyzer.CPEAnalyzer.analyze(CPEAnalyzer.java:520)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:90)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
The line seems to be `final TopDocs docs = cpe.search(searchString, MAX_QUERY_RESULTS);`. It seems that cpe == null, which should happen only if CPEAnalyzer.open() is not called or fails. (I don't count reflection or Unsafe magic.) Or if there is a race condition. (Well, I slightly suspect “Additionally, the analyzers were parallelized increasing performance.” (from changelog) to be responsible for this issue. However, these failures happen consistently.)
I have seen a similar issue in an older version, but upgrade has resolved it. In this case, the opposite is true, i.e. the upgrade broke this.
I don't see the issue in Gradle/CLI frontends for ODC, not sure why.
Any idea what is wrong?
Regards,
Vít Šesták 'v6ak'