Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update fails with a NPE using maven 3.9.0 #5437

Closed
sellersj opened this issue Feb 9, 2023 · 5 comments
Closed

update fails with a NPE using maven 3.9.0 #5437

sellersj opened this issue Feb 9, 2023 · 5 comments
Labels

Comments

@sellersj
Copy link
Contributor

sellersj commented Feb 9, 2023

Describe the bug
When using maven 3.9.0 updating the database fails

java.lang.NullPointerException: Cannot invoke "java.util.List.stream()" because the return value of "org.apache.maven.project.MavenProject.getCollectedProjects()" is null

Version of dependency-check used
The problem occurs using version 7.4.4 of the maven plugin

Log file

Apache Maven 3.9.0 (9b58d2bad23a66be161c4664ef21ce219c2c8584)
Maven home: /mnt/c/users/sellersj/Downloads/apache-maven-3.9.0
Java version: 17.0.5, vendor: Private Build, runtime: /usr/lib/jvm/java-17-openjdk-amd64
Default locale: en, platform encoding: UTF-8
OS name: "linux", version: "5.10.16.3-microsoft-standard-wsl2", arch: "amd64", family: "unix"
...
[ERROR] Cannot invoke "java.util.List.stream()" because the return value of "org.apache.maven.project.MavenProject.getCollectedProjects()" is null
java.lang.NullPointerException: Cannot invoke "java.util.List.stream()" because the return value of "org.apache.maven.project.MavenProject.getCollectedProjects()" is null
    at org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.getProjectAndSubModules (LifecycleDependencyResolver.java:102)
    at org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.getProjects (LifecycleDependencyResolver.java:93)
    at org.apache.maven.lifecycle.internal.MojoExecutor.ensureDependenciesAreResolved (MojoExecutor.java:395)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:327)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:213)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:175)
    at org.apache.maven.lifecycle.internal.MojoExecutor.access$000 (MojoExecutor.java:76)
    at org.apache.maven.lifecycle.internal.MojoExecutor$1.run (MojoExecutor.java:163)
    at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute (DefaultMojosExecutionStrategy.java:39)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:160)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:105)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:73)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:53)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:118)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:260)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:172)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:100)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:821)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:270)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:77)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:568)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
[ERROR]

To Reproduce
Steps to reproduce the behavior:
Download and extract maven 3.9.0
run

./apache-maven-3.9.0/bin/mvn -X -V org.owasp:dependency-check-maven:7.4.4:update-only -e -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2

It also happens if you use version 8.0.2 or using java 8.

Expected behavior
For it to update the database.

@sellersj sellersj added the bug label Feb 9, 2023
@sellersj
Copy link
Contributor Author

sellersj commented Feb 9, 2023

Note: I typically run the update-only task by itself without a pom file in CI.

I think that if you run the command in the same directory as a pom.xml it will work.

@aikebah
Copy link
Collaborator

aikebah commented Feb 9, 2023

Yikes... maven returning null instead of an empty list on a minor release... sounds like a regression to report there as well.

@aikebah aikebah added this to the 8.1.0 milestone Feb 9, 2023
@sellersj
Copy link
Contributor Author

sellersj commented Feb 9, 2023

Will do. Sorry I didn't look at the stack trace very closely - I don't see any owasp code in it. Will create a ticket there and link it from here.

@sellersj
Copy link
Contributor Author

sellersj commented Feb 9, 2023

Seems this is a known maven bug
https://issues.apache.org/jira/browse/MNG-7679

Since this isn't an dependency check issue, I'll close the ticket.

@sellersj sellersj closed this as completed Feb 9, 2023
@aikebah aikebah removed this from the 8.1.0 milestone Feb 9, 2023
@aikebah
Copy link
Collaborator

aikebah commented Feb 9, 2023

Will do. Sorry I didn't look at the stack trace very closely - I don't see any owasp code in it. Will create a ticket there and link it from here.

I Also didn't spot that detail, thought it would've been triggered somewhere in our codebase, but indeed it's fully isolated to Maven itself. And thanks for digging up the maven ticket. When I quickly tried to see if the NPE was already reported in maven JIRA (for some plugin) I failed to find it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants