Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NullPointerException when csproj has Remove attribute #5144

Closed
sylvaingirardbe opened this issue Dec 13, 2022 · 5 comments
Closed

NullPointerException when csproj has Remove attribute #5144

sylvaingirardbe opened this issue Dec 13, 2022 · 5 comments
Labels
bug

Comments

@sylvaingirardbe
Copy link

Describe the bug
When you have a csproj file that has PackageReference with a Remove attribute, DependencyCheck fails with a NullPointerException.

Version of dependency-check used
6.0.4 in Azure Devops, which is the cli version, if I'm not mistaking.

Log file
Log in reproduction steps.

To Reproduce
Steps to reproduce the behavior:
Have a csproj like this where the PackageReference with Remove attribute is the important one

<Project Sdk="Microsoft.NET.Sdk.Web">

  <PropertyGroup>
    <TargetFramework>net6.0</TargetFramework>
    <AspNetCoreHostingModel>InProcess</AspNetCoreHostingModel>
    <UserSecretsId>bad443ff-023c-47a3-85b1-70734cd44900</UserSecretsId>
    <DockerDefaultTargetOS>Linux</DockerDefaultTargetOS>
    <LangVersion>10</LangVersion>
  </PropertyGroup>


  <ItemGroup>
    <PackageReference Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.7.9" />
    <PackageReference Remove="Microsoft.NETCore.App" />
  </ItemGroup>


  <ItemGroup>
    <Folder Include="wwwroot\reports\" />
  </ItemGroup>
</Project>

Run a scan and see this exception in the console

[WARN] An error occurred while analyzing '/azp/agent/_work/1/s/***/***.csproj' (MSBuild Project Analyzer).
...
[INFO] Writing report to: /azp/agent/_work/1/a/dependency-check-report.html
[INFO] Writing report to: /azp/agent/_work/1/a/dependency-check-junit.xml
[ERROR] java.lang.NullPointerException

Dependency Check completed with exit code 242.
Dependency Check reports:
[ '/azp/agent/_work/1/a/dependency-check-junit.xml',
  '/azp/agent/_work/1/a/dependency-check-report.html' ]
Dependency Check failed with message "Dependency Check exited with an error code (exit code: 242)."
##[error]Dependency Check exited with an error code (exit code: 242).

And this in the log on the agent:

org.owasp.dependencycheck.analyzer.exception.AnalysisException: java.lang.NullPointerException
        at org.owasp.dependencycheck.analyzer.MSBuildProjectAnalyzer.analyzeDependency(MSBuildProjectAnalyzer.java:174)
        at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.lang.NullPointerException: null
        at org.owasp.dependencycheck.data.nuget.XPathMSBuildProjectParser.parse(XPathMSBuildProjectParser.java:71)
        at org.owasp.dependencycheck.analyzer.MSBuildProjectAnalyzer.analyzeDependency(MSBuildProjectAnalyzer.java:120)
        ... 7 common frames omitted

Expected behavior
The scan to complete successully.
@aikebah aikebah closed this as completed Dec 13, 2022
@aikebah aikebah reopened this Dec 13, 2022
@aikebah aikebah removed the duplicate label Dec 13, 2022
@aikebah
Copy link
Collaborator

aikebah commented Dec 13, 2022

Not surprisingly.... as the only documented package reference is an Include

@aikebah
Copy link
Collaborator

aikebah commented Dec 13, 2022

So how is one to know that there is actually also a "Remove" version of it (let alone be aware of what effects that would have)

@aikebah
Copy link
Collaborator

aikebah commented Dec 13, 2022

The NullPointerException would be easy to fix, but proper behaviour of the analyzer will likely require to also make the "Remove" option yield the expected effect (which is fully undocumented)

@yigityuksel
Copy link

Hello,

Besides the "Remove" option, there is no support for "Update". For example, the following configuration causes the NullPointerException.

  <ItemGroup>
      <PackageReference Update="Microsoft.CodeAnalysis.NetAnalyzers" Version="6.0.0">
          <PrivateAssets>all</PrivateAssets>
          <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
      </PackageReference>
  </ItemGroup>

aikebah added a commit that referenced this issue Jan 12, 2023
@aikebah
fix(partial): Issue #5144 Avoid NPE on non-Include packageReference
174f6e2
jeremylong added a commit that referenced this issue Jan 13, 2023
@jeremylong
fix(partial): Issue #5144 Avoid NPE on non-Include packageReference (#…
6abed02 
…5293)
@aikebah aikebah mentioned this issue Jan 20, 2023
Closed
aikebah added a commit that referenced this issue Jan 20, 2023
@aikebah
fix(partial): Issue #5144 Avoid NPE on non-Include packageReference
de97f1a 
Improved version of #5293. We should not attempt dereference of the null-valued attribute-node of an absent Include attribute
jeremylong added a commit that referenced this issue Jan 21, 2023
@jeremylong
fix(partial): Issue #5144 Avoid NPE on non-Include packageReference (#…
70495d5 
…5362)
@mhienle mhienle mentioned this issue Mar 22, 2023
Closed
@jeremylong
Copy link
Owner

This should be fixed with 8.2.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jeremylong @sylvaingirardbe @aikebah @yigityuksel