NullPointerException @ org.sonatype.ossindex.maven.common.ComponentReportAssistant.match (ComponentReportAssistant.java:180)
Closed this issue · 17 comments
I observe this error with ossindex-maven-plugin:3.0.3:audit goal:
[WARNING] Failed to fetch component-reports
java.lang.NullPointerException
at org.sonatype.ossindex.maven.common.ComponentReportAssistant.match (ComponentReportAssistant.java:180)
at org.sonatype.ossindex.maven.common.ComponentReportAssistant.request (ComponentReportAssistant.java:95)
at org.sonatype.ossindex.maven.plugin.AuditMojo.execute (AuditMojo.java:246)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:289)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:229)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:415)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:356)
My environment:
Apache Maven 3.6.0 (97c98ec64a1fdfee7767ce5ffb20918da4f719f3; 2018-10-24T20:41:47+02:00)
Maven home: C:\Program Files\Apache Software Foundation\apache-maven-3.6.0\bin..
Java version: 1.8.0_192, vendor: Oracle Corporation, runtime: C:\Program Files\Java\jdk1.8.0_192\jre
Default locale: de_DE, platform encoding: Cp1252
OS name: "windows 7", version: "6.1", arch: "amd64", family: "windows"
The error does not occur with 3.0.0
what were you scanning? is that something you can share and/or create an example project that has the same issue? mvn -X output would also be helpful.
does this happen with 3.0.2 ?
thx for the report, will look more, though if you could provide additional details that would help.
I'm seeing this too in 3.0.3. It looks like it is getting a null report. Not sure if you can just ignore a null report. I could try it an push a pull request if you are interested.
@kc7bfi yes its getting a null when it should not. do you have an example that shows this so I can see what is going on? it can be guarded, but it smells like there is something else that is misbehaving that needs to be resolved.
Unfortunately it is a large project that includes a number of private libraries. However, every time it crashes it references the file:
$USER\AppData\Local\Sonatype\Ossindex\report-cache\fd\d8\fdd812c8e4d90d13e9cb70c8887e772d615c70f7
This file contains the contents:
{"coordinates":"pkg:maven/javax.media/jai-core@1.1.3","reference":"https://ossindex.sonatype.org/component/pkg:maven/javax.media/jai-core@1.1.3","vulnerabilities":[]}
Is there some debug info I can turn on? David
@kc7bfi you can use mvn -X to spit out more detail. There are a few known issues with the new cache that impact windows that are being looked at, but i'd like to see if this is related or not.
can you confirm if 3.0.2 behaves the same?
thanks!
@kc7bfi thx, though sadly this doesn't help shed any light onto whats going on; it appears to be resolving cached entries w/o problems.
I will keep looking though. In the mean time you may want to use 3.0.2. If 3.0.2 still has issues then its not related to the new cache.
For now I've added a guard and a log to help indicate which coordinate is missing a report: 00e5f3c
I've tried to reproduce, but so far no luck; so if you get a chance to create an example project that exhibits this behavior it would help too.
thank :-)
I observe same problem with 3.0.2 and 3.0.1.
When I debug it, the report parameter is null for this value
"pkg:maven/com.sun.media/jai_codec@1.1.3-AP=null"
(ComponentReportAssistant, line 88)
With 3.0.2 I see the following error:
[WARNING] Failed to load entry: C:\Users\David.Robison.PSGGLOBAL\AppData\Local\Sonatype\Ossindex\report-cache\21\4f\214f5855b483883232710d6a9105b03023fbb8c4
java.nio.file.FileSystemException: C:\Users\David.Robison.PSGGLOBAL\AppData\Local\Sonatype\Ossindex\report-cache\21\4f\214f5855b483883232710d6a9105b03023fbb8c4: The process cannot access the file because it is being used by another process.
However, I just rebooted my system and nothing should be accessing the file. Ideas?
On 3.0.2 I still occasionally get the error:
[WARNING] Failed to fetch component-reports
java.lang.NullPointerException
at org.sonatype.ossindex.maven.common.ComponentReportAssistant.match (ComponentReportAssistant.java:147)
at org.sonatype.ossindex.maven.common.ComponentReportAssistant.request (ComponentReportAssistant.java:92)
at org.sonatype.ossindex.maven.plugin.AuditMojo.execute (AuditMojo.java:243)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:208)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:154)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:146)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:290)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:194)
at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:289)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:229)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:415)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:356)
If you want to deploy a snapshot version of the plugin with debug statements I can run it and give you the feedback. David
@kc7bfi a few problems with the new cache impl (it clearly wasn't baked long enough); "failed to load entry" is one of those, and an update for the cache is being prepared.
If the NPE happens before 3.0.2 then its unrelated to the cache. We so far are unable to reproduce that however :-\
Please find attached a project to reproduce the NPE.
test.zip
The zip contains the dependency, which is causing the problem in my case.
After installing it in your local maven repo I hope you can reproduce it, too.
@m0schaefer thx for the example project, though that artifact does not exist in central; which makes it hard to reproduce. is that artifact in a publicly accessible repository that also causes this problem, and/or is there an artifact in central that shows this problem?
No, the artifact is not publicly available. It is the only one causing the NPE.
However, when I change the dependency to
<dependency>
<groupId>com.sun.media</groupId>
<artifactId>jai_codec</artifactId>
<version>1.1.2_01</version> <!-- pom available in maven central -->
<scope>system</scope>
<systemPath>D:\dev\m2\com\sun\media\jai_codec\1.1.3-AP\jai_codec-1.1.3-AP.jar</systemPath>
</dependency>
the plugin logs the NPE, too:
[INFO] --- ossindex-maven-plugin:3.0.3:audit (default) @ test ---
[INFO] Checking for vulnerabilities; 1 artifacts
[INFO] Exclude coordinates: []
[INFO] Exclude vulnerability identifiers: []
[INFO] CVSS-score threshold: 0.0
[WARNING] Failed to fetch component-reports
java.lang.NullPointerException
at org.sonatype.ossindex.maven.common.ComponentReportAssistant.match (ComponentReportAssistant.java:180)
at org.sonatype.ossindex.maven.common.ComponentReportAssistant.request (ComponentReportAssistant.java:95)
at org.sonatype.ossindex.maven.plugin.AuditMojo.execute (AuditMojo.java:246)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:289)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:229)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:415)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:356)
@m0schaefer so thats the same NPE from a missing reported; 3.0.4 just released will log a warning in that case now instead of puking a NPE. We are still not able to reproduce this, not saying its not a problem, clearly it is, but I still do not know how to reproduce this to resolve it sorry.
Side-note and I hope its just for testing, you really shouldn't use system scoped stuff. Do you do much with system scope?
Thanks!
I can't reproduce the error anymore. Neither with version 3.0.2 or 3.0.3.
The value of
"ComponentReport report" is now not null anymore but set to
ComponentReport{coordinates=pkg:maven/com.sun.media/jai_codec@1.1.3-AP, description=null}
So I guess something has changed on the back-end ...
I'm going to close this for now; if anyone sees this again. or rather the new warning complaining about missing report; and can provide a reference example with coordinates from central (or another public repo is fine) then we can investigate further.