-
-
Notifications
You must be signed in to change notification settings - Fork 598
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NullPointerException in Trivy Analyzer if Component doesn't have a Version #4257
Comments
I can't reproduce the issue with the BOM snippet you provided. In fact, we already filter out components which don't have a (complete) PURL: dependency-track/src/main/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTask.java Lines 168 to 184 in 9117383
It works with this, though: {
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:975bf412-c238-415d-be65-cf8eb1acab54",
"version": 1,
"components": [
{
"type": "library",
"bom-ref": "16ada406-dbc9-45de-8e8f-bb9025e34b11",
"name": "some-library-name",
"purl": "pkg:maven/foo/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:SchemaVersion",
"value": "2"
}
]
}
]
} Note how the component has a PURL with version, but no dedicated dependency-track/src/main/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTask.java Lines 215 to 219 in 9117383
Fortunately this has already been addressed with #4245 |
Thanks a lot for the quick update. Will retest this issue as soon as 4.12.1 is available. |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Current Behavior
Hello,
I noticed that since the migration to Protobuf for the Trivy Integration a NullPointerException is thrown if at least one component doesn't have a version which completely stops the analysis for all other components.
We are using CyloneDX 1.5
Server Error
For now I reverted dependency-track to 4.11.5 and Trivy to 0.53.0 as it still works properly there.
Steps to Reproduce
Expected Behavior
Even if one component has no Version the rest of the components get analysed properly.
I suppose if no Version exists it should be possibly to completely skip the analysis since no vulnerability information would be found either way.
Dependency-Track Version
4.12.0
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
16.4
Browser
Google Chrome
Checklist
The text was updated successfully, but these errors were encountered: