New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bad error reporting #2416
Comments
I'm not sure if this is a defect for dependency-check or Gradle itself. The error messages you are reporting are from the gradle build system. I'm not sure how my plugin could do better reporting if it can't load... |
I'm not complaining about Gradle only showing the top-most message unless you use I'd say in |
@Vampire The only occurrence I can find for the scenario of "Unexpected Exception" as the exception message is in DependencyCheck/core/src/main/java/org/owasp/dependencycheck/Engine.java Lines 793 to 802 in 60e74e8
Which is throwing an exception including its cause. So my gut feel is that Gradle is limiting the depth of the printed stacktrace. Which appears to be consistent with their documentation of CLI-options. I expect that you'll find the full traces when you run |
The |
The problem is not Gradle truncating stack traces and it is not fixable by That it manifests in Gradle is probably because it does not use |
Which also means that it might not help to adopt the Throwable.addSuppressed, which are accounted for in the printStackTrace (of java.lang.Throwable), but which are not taken into account on the getStackTrace which is documented as being the runtime-retrievable result of a printStackTrace. I'm willing to work on refactoring the use of the custom ExceptionCollection as a solution to defer reporting the exceptions in the analysis into an Exception that handles handles them in the standard java mechanism of suppressed exceptions registered against the Throwable, but that effort would be wasted if it wouldn't offer a solution for this issue. |
@aikebah a simpler solution might be to simply log any inner exceptions from the |
Simpler, but not necessarily more usefull. In my career I've seen plenty of bad/unclear exceptions thrown from libraries that require you to inspect the stacktrace. Exceptions with null or empty error message or useless messages that require you to have a look at the stacktrace and then digging through source code. |
Revisiting the addSuppressed documentation makes me reconsider... API contract of addSuppressed is for a different purpose - being able to swallow exceptions that happen after some initial exception that you intend to (re)throw at the end of error handling code. So seems better to in some way improve current ExceptionCollection in order to ensure that full error information is retained and reported for all cases. |
I'm leaning towards a short-term mitigation along the lines of a verbose message for the Exception Collection that allows to review the Exception-cause-stack for each of the exceptions in the collection: Build the exception message of the ExceptionCollection that would fully report the caused-by traces of each exception in the form In this way errors should become more easily traceable to their root cause for tools that don't use printStackTrace to show the stacktrace leading up to an exception. For the long term my gut feel is that the exception handling needs re-architecting to get the (mutable!!!) ExceptionCollection Exception replaced. For the rationale see SonarQube's documentation for squid:S1165. For only one exception it could be accounted for by setting that exception as the cause for the thrown exception. But if the ExceptionCollection holds more than one fatal exception (e.g. from more than one analyzer) we would not be able to build a single cause-stack to show the errors encountered and we might as well just stop on the first exception as the others would be non-traceable for their root-cause and thus non-resolvable for the user until they become the first-in-line that gets reported in the exception-cause-stack. @jeremylong would like to hear your thoughts on such a short-term approach, combined with an enhancement issue for a long-term solution. I would be willing to work on building a short-term mitigation and invest some time in trying to come up with a design of a new way of handling the exceptions that would fit the desired immutable state of the Java exception model and allow for the delayed reporting with full traceability of root causes for each of the reported exceptions - that design proposal could then be discussed in the context of that enhancement issue. |
Following on from my duplicate ticket, the line which was throwing away the cause was: DependencyCheck/core/src/main/java/org/owasp/dependencycheck/exception/ExceptionCollection.java Line 59 in dbaac07
At a minimum, this code could include the first exception as the cause, which would be better than nothing. What we generally do at work in the same situation though is to include the first exception as the cause, and then chain the rest on with Then it's up to Gradle to format it properly. Which mostly it has been for us, but we do ask it to dump full stack traces on failure. |
@jeremylong I created the proposed short-term fix of an extended log message. In the gradle plugin with
If you agree with the approach I can merge it into master |
I think that is an okay quick fix for the issue. I also agree the overall exception handling may need to be re-worked. |
Extended message as an interim fix for #2416
Quick-fix will be part of the next release. Structural improvement to the exception handling will be handled under the new enhancement issue. |
@jeremylong since this issue is closed, is there another issue for reworking the overall exception handling? @aikebah you say
But the
|
Describe the bug
Due to gradle/gradle#11795, there are problems with the used library versions, as much older versions needed by stuff in
buildSrc
win in the class path and then there are missing method exceptions.This of course is not your fault and not what I report here.
But the output in this case is sometimes super unhelpful, which is what I do report here.
A good example is a too old commons-io (1.3.1) that causes the build to fail with
and if run with
-s
reveals theCaused by: java.lang.NoSuchMethodError: org.apache.commons.io.filefilter.SuffixFileFilter.<init>(Ljava/util/List;Lorg/apache/commons/io/IOCase;)V
cause.A bad example is a too old guava that causes the build to fail with
and if run with
-s
only sayswhich is pretty meaningless.
After setting a breakpoint and assembling the stacktrace in
Engine#analyzeDependencies
I finally got the cause which isCaused by: java.lang.NoSuchMethodError: com.google.common.base.Preconditions.checkState(ZLjava/lang/String;Ljava/lang/Object;)V
.Version of dependency-check used
The problem occurs using version 5.2.4 of the gradle plugin
The text was updated successfully, but these errors were encountered: