Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NullPointerException in Trivy Analyzer if Component doesn't have a Version #4257

Closed
2 tasks done
FFichtner opened this issue Oct 15, 2024 · 3 comments · Fixed by #4245
Closed
2 tasks done

NullPointerException in Trivy Analyzer if Component doesn't have a Version #4257

FFichtner opened this issue Oct 15, 2024 · 3 comments · Fixed by #4245
Labels
defect Something isn't working integration/trivy Related to the Trivy integration
Milestone

Comments

@FFichtner
Copy link

Current Behavior

Hello,

I noticed that since the migration to Protobuf for the Trivy Integration a NullPointerException is thrown if at least one component doesn't have a version which completely stops the analysis for all other components.
We are using CyloneDX 1.5

Server Error

2024-10-15 07:55:41,708 ERROR [VulnerabilityAnalysisTask] An unexpected error occurred performing a vulnerability analysis task
java.lang.NullPointerException: null
    at trivy.proto.common.Package$Builder.setVersion(Package.java:1730)
    at org.dependencytrack.tasks.scanners.TrivyAnalysisTask.analyze(TrivyAnalysisTask.java:275)
    at org.dependencytrack.tasks.scanners.TrivyAnalysisTask.inform(TrivyAnalysisTask.java:158)
    at org.dependencytrack.tasks.VulnerabilityAnalysisTask.performAnalysis(VulnerabilityAnalysisTask.java:168)
    at org.dependencytrack.tasks.VulnerabilityAnalysisTask.analyzeComponents(VulnerabilityAnalysisTask.java:128)
    at org.dependencytrack.tasks.VulnerabilityAnalysisTask.inform(VulnerabilityAnalysisTask.java:72)
    at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:110)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.base/java.lang.Thread.run(Unknown Source)

For now I reverted dependency-track to 4.11.5 and Trivy to 0.53.0 as it still works properly there.

Steps to Reproduce

  1. Upload a SBOM with at least one component without a Version e.g.
{
  "bomFormat" : "CycloneDX",
  "specVersion" : "1.5",
  "serialNumber" : "urn:uuid:975bf412-c238-415d-be65-cf8eb1acab54",
  "version" : 1,
  "metadata" : {
    "timestamp" : "2024-10-15T07:58:12Z",
    "tools" : [
      {
        "vendor" : "OWASP",
        "name" : "Dependency-Track",
        "version" : "4.12.0"
      }
    ],
    "component" : {
      "type" : "application",
      "bom-ref" : "73a0b27c-101f-4f02-8dc7-603531b83444",
      "name" : "some-application-name",
      "version" : "1.0.0"
    }
  },
  "components" : [
    {
      "type" : "application",
      "bom-ref" : "16ada406-dbc9-45de-8e8f-bb9025e34b8f",
      "name" : "some-component-name",
      "properties" : [
        {
          "name" : "aquasecurity:trivy:SchemaVersion",
          "value" : "2"
        }
      ]
    },
   ...
  ],
  ...
}
  1. Trigger "Reanalyze" under "Audit Vulnerabilities"

Expected Behavior

Even if one component has no Version the rest of the components get analysed properly.

I suppose if no Version exists it should be possibly to completely skip the analysis since no vulnerability information would be found either way.

Dependency-Track Version

4.12.0

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

16.4

Browser

Google Chrome

Checklist

@FFichtner FFichtner added defect Something isn't working in triage labels Oct 15, 2024
@nscuro
Copy link
Member

nscuro commented Oct 15, 2024

I can't reproduce the issue with the BOM snippet you provided. In fact, we already filter out components which don't have a (complete) PURL:

@Override
public boolean isCapable(Component component) {
final boolean hasValidPurl = component.getPurl() != null
&& component.getPurl().getScheme() != null
&& component.getPurl().getType() != null
&& component.getPurl().getName() != null
&& component.getPurl().getVersion() != null;
if (!hasValidPurl && component.getPurl() == null) {
LOGGER.debug("isCapable: purl is null for component %s".formatted(component));
} else if (!hasValidPurl) {
LOGGER.debug("isCapable: " + component.getPurl().toString());
}
return (hasValidPurl && !PurlType.Constants.UNKNOWN.equals(PurlType.getApp(component.getPurl().getType())))
|| component.getClassifier() == Classifier.OPERATING_SYSTEM;
}

It works with this, though:

{
    "bomFormat": "CycloneDX",
    "specVersion": "1.5",
    "serialNumber": "urn:uuid:975bf412-c238-415d-be65-cf8eb1acab54",
    "version": 1,
    "components": [
        {
            "type": "library",
            "bom-ref": "16ada406-dbc9-45de-8e8f-bb9025e34b11",
            "name": "some-library-name",
            "purl": "pkg:maven/foo/[email protected]",
            "properties": [
                {
                    "name": "aquasecurity:trivy:SchemaVersion",
                    "value": "2"
                }
            ]
        }
    ]
}

Note how the component has a PURL with version, but no dedicated version field. This yields the NPE you found, because it passes the isCapable check, but the analyzer used to use component.version to populate the Trivy request:

app.addPackages(Package.newBuilder()
.setName(name)
.setVersion(component.getVersion())
.setSrcName(name)
.setSrcVersion(component.getVersion()));

Fortunately this has already been addressed with #4245

@nscuro nscuro added integration/trivy Related to the Trivy integration and removed in triage labels Oct 15, 2024
@nscuro nscuro added this to the 4.12.1 milestone Oct 15, 2024
@nscuro nscuro closed this as completed Oct 15, 2024
@FFichtner
Copy link
Author

Thanks a lot for the quick update. Will retest this issue as soon as 4.12.1 is available.
If it reappears I will deeper reinvestigate the issue.

Copy link
Contributor

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 15, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
defect Something isn't working integration/trivy Related to the Trivy integration
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants