Error attempting to upload findings to Defect Dojo

[kmouzoul23]

Current Behavior

Cannot use Defect Dojo integration - Defect Dojo Integration error when attempting to upload findings

log output:
ERROR [DefectDojoClient] Make the subsequent pagination call on http:[//]hostname/api/v2/tests/?engagement=1842&limit=100&offset=4500
2023-03-28 09:34:54,227 ERROR [DefectDojoUploader] An error occurred attempting to upload findings to DefectDojo
java.lang.NullPointerException: Cannot invoke "Object.toString()" because the return value of "kong.unirest.json.JSONObject.get(String)" is null
        at org.dependencytrack.integrations.defectdojo.DefectDojoClient.getDojoTestId(DefectDojoClient.java:123)
        at org.dependencytrack.integrations.defectdojo.DefectDojoUploader.upload(DefectDojoUploader.java:90)
        at org.dependencytrack.tasks.VulnerabilityManagementUploadTask.processProjectFindings(VulnerabilityManagementUploadTask.java:66)
        at org.dependencytrack.tasks.VulnerabilityManagementUploadTask.inform(VulnerabilityManagementUploadTask.java:46)
        at org.dependencytrack.tasks.DefectDojoUploadTask.inform(DefectDojoUploadTask.java:37)
        at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:101)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.base/java.lang.Thread.run(Unknown Source)
2023-03-28 09:34:54,228 ERROR [DefectDojoUploader] An error occurred with the DefectDojo integration point
java.lang.NullPointerException: Cannot invoke "Object.toString()" because the return value of "kong.unirest.json.JSONObject.get(String)" is null
        at org.dependencytrack.integrations.defectdojo.DefectDojoClient.getDojoTestId(DefectDojoClient.java:123)
        at org.dependencytrack.integrations.defectdojo.DefectDojoUploader.upload(DefectDojoUploader.java:90)
        at org.dependencytrack.tasks.VulnerabilityManagementUploadTask.processProjectFindings(VulnerabilityManagementUploadTask.java:66)
        at org.dependencytrack.tasks.VulnerabilityManagementUploadTask.inform(VulnerabilityManagementUploadTask.java:46)
        at org.dependencytrack.tasks.DefectDojoUploadTask.inform(DefectDojoUploadTask.java:37)
        at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:101)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.base/java.lang.Thread.run(Unknown Source)

Steps to Reproduce

1. Enable Defect Dojo integration
2. Integrate projects with Defect Dojo (Create Project Property)

Expected Behavior

Dependency-Track Findings report should be uploaded successfully to Defect Dojo

Dependency-Track Version

4.7.1

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[corvusmod]

Same problem here.

2023-04-03 11:51:24,078 DEBUG [DefectDojoUploadTask] Starting DefectDojo upload task 2023-04-03 11:51:24,095 DEBUG [VulnerabilityManagementUploadTask] Initializing integration point: DefectDojo for project: d8594665-7e46-4a94-ac4c-237d40ac8de2 2023-04-03 11:51:24,171 DEBUG [VulnerabilityManagementUploadTask] Uploading findings to DefectDojo for project: d8594665-7e46-4a94-ac4c-237d40ac8de2 2023-04-03 11:51:24,172 DEBUG [DefectDojoClient] Pulling DefectDojo Tests API ... 2023-04-03 11:51:24,173 DEBUG [DefectDojoClient] Make the first pagination call 2023-04-03 11:51:24,268 DEBUG [DefectDojoClient] Successfully retrieve the test list 2023-04-03 11:51:24,269 ERROR [DefectDojoUploader] An error occurred attempting to upload findings to DefectDojo java.lang.NullPointerException: Cannot invoke "Object.toString()" because the return value of "kong.unirest.json.JSONObject.get(String)" is null at org.dependencytrack.integrations.defectdojo.DefectDojoClient.getDojoTestId(DefectDojoClient.java:123) at org.dependencytrack.integrations.defectdojo.DefectDojoUploader.upload(DefectDojoUploader.java:90) at org.dependencytrack.tasks.VulnerabilityManagementUploadTask.processProjectFindings(VulnerabilityManagementUploadTask.java:66) at org.dependencytrack.tasks.VulnerabilityManagementUploadTask.inform(VulnerabilityManagementUploadTask.java:46) at org.dependencytrack.tasks.DefectDojoUploadTask.inform(DefectDojoUploadTask.java:37) at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:101) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.base/java.lang.Thread.run(Unknown Source) 2023-04-03 11:51:24,269 ERROR [DefectDojoUploader] An error occurred with the DefectDojo integration point java.lang.NullPointerException: Cannot invoke "Object.toString()" because the return value of "kong.unirest.json.JSONObject.get(String)" is null at org.dependencytrack.integrations.defectdojo.DefectDojoClient.getDojoTestId(DefectDojoClient.java:123) at org.dependencytrack.integrations.defectdojo.DefectDojoUploader.upload(DefectDojoUploader.java:90) at org.dependencytrack.tasks.VulnerabilityManagementUploadTask.processProjectFindings(VulnerabilityManagementUploadTask.java:66) at org.dependencytrack.tasks.VulnerabilityManagementUploadTask.inform(VulnerabilityManagementUploadTask.java:46) at org.dependencytrack.tasks.DefectDojoUploadTask.inform(DefectDojoUploadTask.java:37) at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:101) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.base/java.lang.Thread.run(Unknown Source) 2023-04-03 11:51:24,269 DEBUG [NotificationService] Dispatching notification: class alpine.notification.Notification 2023-04-03 11:51:24,269 DEBUG [NotificationService] Alerting subscriber org.dependencytrack.notification.NotificationRouter 2023-04-03 11:51:24,272 DEBUG [DefectDojoUploadTask] DefectDojo upload complete

[corvusmod]

As a workaround what I did is to use the FPF format from DT.
I exported the results from DT in FPF format through the API and upload them to DefectDojo

[SeanWrightFeat]

I'm getting a similar error. Currently using the following:

• Dependency-Track: 4.8.0
• DefectDojo: 2.22.0

The error from Dependency-Track

2023-05-04 20:14:33,010 [] ERROR [org.dependencytrack.integrations.defectdojo.DefectDojoClient] An error occurred with the DefectDojo integration point
org.apache.http.client.ClientProtocolException: null
        at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:187)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
        at org.dependencytrack.integrations.defectdojo.DefectDojoClient.getDojoTestIds(DefectDojoClient.java:116)
        at org.dependencytrack.integrations.defectdojo.DefectDojoUploader.upload(DefectDojoUploader.java:104)
        at org.dependencytrack.tasks.VulnerabilityManagementUploadTask.processProjectFindings(VulnerabilityManagementUploadTask.java:66)
        at org.dependencytrack.tasks.VulnerabilityManagementUploadTask.inform(VulnerabilityManagementUploadTask.java:46)
        at org.dependencytrack.tasks.DefectDojoUploadTask.inform(DefectDojoUploadTask.java:37)
        at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:101)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.base/java.lang.Thread.run(Unknown Source)
Caused by: org.apache.http.ProtocolException: Target host is not specified
        at org.apache.http.impl.conn.DefaultRoutePlanner.determineRoute(DefaultRoutePlanner.java:71)
        at org.apache.http.impl.client.InternalHttpClient.determineRoute(InternalHttpClient.java:125)
        at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
        ... 11 common frames omitted
2023-05-04 20:14:33,063 [] ERROR [org.dependencytrack.integrations.defectdojo.DefectDojoClient] An error occurred while communicating with the DefectDojo integration point
2023-05-04 20:14:33,063 [] ERROR [org.dependencytrack.integrations.defectdojo.DefectDojoClient] HTTP Status : 400 Bad Request
2023-05-04 20:14:33,063 [] ERROR [org.dependencytrack.integrations.defectdojo.DefectDojoClient] Request URL : https://dojo.featurespace.net//api/v2/import-scan/

I noticed the following from the DefectDojo logs:

nginx_1         | 172.20.0.1 - - [04/May/2023:20:04:32 +0000] "GET /api/v2/tests/?limit=100&engagement=23 HTTP/1.0" 200 66 "-" "Apache-HttpClient/4.5.14 (Java/17.0.6)" "10.65.32.201"
nginx_1         | 2023/05/04 20:04:32 [warn] 7#7: *157 a client request body is buffered to a temporary file /var/cache/nginx/client_temp/0000000007, client: 172.20.0.1, server: , request: "POST /api/v2/import-scan/ HTTP/1.0", host: "dojo.featurespace.net"
uwsgi_1         | [04/May/2023 20:04:32] WARNING [django.request:241] Bad Request: /api/v2/import-scan/
uwsgi_1         | [pid: 22|app: -|req: -/-] 172.20.0.1 (-) {48 vars in 833 bytes} [Thu May  4 20:04:32 2023] POST /api/v2/import-scan/ => generated 140 bytes in 40 msecs (HTTP/1.0 400) 8 headers in 244 bytes (1 switches on core 0)
nginx_1         | 172.20.0.1 - - [04/May/2023:20:04:32 +0000] "POST /api/v2/import-scan/ HTTP/1.0" 400 140 "-" "Apache-HttpClient/4.5.14 (Java/17.0.6)" "10.65.32.201"

[kmouzoul23]

It's an error related to pagination. Based on the follwing issue: #2707 seems that will be fixed in v4.8.1

[nscuro]

While it looks related at first, the issue described here is related to when the scan_type in tests of the DD response are null. Our logic assumed that scan_type can not be null, but apparently it can.

This too will be fixed in 4.8.1.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.