TypeError: response.component.measures.filter(...)[0] is undefined

[marschall]

Describe the bug
When we open the Dependency-Check view on some of our projects we get the following Javascript error

TypeError: response.component.measures.filter(...)[0] is undefined

The issue is that response.component.measures is empty is empty on the following line
https://github.com/SonarSecurityCommunity/dependency-check-sonar-plugin/blob/master/sonar-dependency-check-plugin/src/main/resources/static/report.js#L38

To Reproduce

1. Click More -> Dependency-Check

Current behavior
Javascript error

Expected behavior
no Javascript error

Versions (please complete the following information):

• dependency-check unknown
• sonarqube 6.7.7
• dependency-check-sonar-plugin 1.1.5

[squix78]

+1. I would love to see this fixed

[Reamer]

Can you reproduce this behavior with any example project?

[marschall]

We currently can not reproduce the issue with a small project. However our SonarQube builds are currently failing. We try to get them passing again and see whether that will fix the issue.

[nielsvn92]

I'm currently having the exact same issue.

SonarQube version 7.9 (latest)
Dependency-check-sonar-plugin 1.2.4 (latest)
Dependency-check 5.1.0 (latest)

[Reamer]

Did you see anything suspicious in sonarqube, sonar-scanner or proxy-access logs?

[nielsvn92]

The only thing I'm seeing, is something in the sonar scanner plugin (I'm using the XML report).
It does look like the vulnerabilities are passed correctly though, because I can see them as issues in my code in SonarQube.

[INFO] ------------- Run sensors on project
[INFO] Sensor Dependency-Check [dependencycheck]
[INFO] Process Dependency-Check report
[INFO] Linking 141 dependencies to DependencyReasons
[INFO] Dependency-Check HTML report does not exists. Please check property sonar.dependencyCheck.htmlReportPath:/builds/jcorians/fasttracker-app/${WORKSPACE}/dependency-check-report.html
[INFO] HTML-Dependency-Check report does not exist.
[INFO] Process Dependency-Check report (done) | time=234ms
[INFO] Sensor Dependency-Check [dependencycheck] (done) | time=236ms

[marschall]

Did you see anything suspicious in sonarqube, sonar-scanner or proxy-access logs?

Not anymore, we used to see

[WARNING] An error occurred while analyzing '/home/acme/.m2/repository/com/acme/acme-project/acme-core/3.3.1/acme-core-3.3.1.jar' (Sonatype OSS Index Analyzer).

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.0.0:check (default-cli) on project acme-test: One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during analysis:
[ERROR] Failed to request component-reports
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
[ERROR]
[ERROR] After correcting the problems, you can resume the build with the command
[ERROR]   mvn <goals> -rf :acme-test 

Now the only thing we're seeing are

[INFO] Process Dependency-Check report
[WARNING] Dependency-Check report does not exist. SKIPPING. Please check property sonar.dependencyCheck.reportPath:target/dependency-check/dependency-check-report.xml
[INFO] Process Dependency-Check report (done) | time=0ms
[WARNING] Dependency-Check report does not exist. SKIPPING. Please check property sonar.dependencyCheck.htmlReportPath:${WORKSPACE}/dependency-check-report.html
[INFO] Sensor Dependency-Check [dependencycheck] (done) | time=1ms

[Reamer]

@nielsvn92
If you are using mvn as your build management tool, then check that you generate xml and html reports with dependency-check. In general I advice you, create all formats
After this the html report should be uploaded to sonarqube, if not check the property sonar.dependencyCheck.htmlReportPath.

@marschall
It seems that you have problems with den dependency-check-maven tool. If you have solve this problem, you can use dependency-check-sonar-plugin for reading this reports.

HTML-Report -> Only for uploading to Sonarqube, presented in Sonarqube-GUI as an ugly iframe
XML-Report -> Will be parsed by dependency-check-sonar-plugin to create issues and measures in sonarqube

[nielsvn92]

@nielsvn92
If you are using mvn as your build management tool, then check that you generate xml and html reports with dependency-check. In general I advice you, create all formats
After this the html report should be uploaded to sonarqube, if not check the property sonar.dependencyCheck.htmlReportPath.

Ahhh right, sorry. I just generated the HTML report, and set the path property. Now it works correctly! Just saw that this was actually written in the readme too, so sorry for not reading the manual correctly..

Thanks!

[Reamer]

@marschall
Do you need more help? If not I would close this issue.

[marschall]

@Reamer it's still happening but I found no time to build a reproducer

[Reamer]

Hi @marschall ,
can you check, if the pre-release solves your issue. This pre-release is based on rewrite_javascript branch.

[marschall]

@Reamer Sorry, I don't think I'll be able to test a pre-release.

[Reamer]

@marschall Fix should be in next release (> 2.0.3)
Fixed by #221