Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NuGet component with space breaks analyzer #3688

Open
2 tasks done
peterloron opened this issue May 9, 2024 · 2 comments
Open
2 tasks done

NuGet component with space breaks analyzer #3688

peterloron opened this issue May 9, 2024 · 2 comments
Assignees
@laurentiu-ghergu
Labels
defect Something isn't working good first issue Good for newcomers p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort

Comments

@peterloron
Copy link

Current Behavior

A CDXJSON1.4 SBOM from an internal docker image was uploaded to DT 4.11. The SBOM contains a component which is a NuGet package. When analysis is attempted, an Illegal Character exception is thrown. I suspect that the space (%20) character is not being handled properly. Here is a sample section of the SBOM:

    {
      "bom-ref": "pkg:nuget/Simple%20Launcher@1.1.0.14?package-id=f17979bac9f7e205",
      "type": "library",
      "name": "Simple Launcher",
      "version": "1.1.0.14",
      "cpe": "cpe:2.3:a:Simple_Launcher:Simple_Launcher:1.1.0.14:*:*:*:*:*:*:*",
      "purl": "pkg:nuget/Simple%20Launcher@1.1.0.14",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "dotnet-portable-executable-cataloger"
        },
        { "name": "syft:package:language", "value": "dotnet" },
        { "name": "syft:package:type", "value": "dotnet" },
        {
          "name": "syft:package:metadataType",
          "value": "dotnet-portable-executable-entry"
        },
        {
          "name": "syft:location:0:layerID",
          "value": "sha256:9ce7e12c92bbf09aaaa5aaa621cff892fc3ce1c1fdc2eb31ce562790df8be75c"
        },
        {
          "name": "syft:location:0:path",
          "value": "/usr/local/lib/python3.8/dist-packages/distlib/t64.exe"
        }
      ]
    },

During the analysis, I saw the following error in the log:

2024-05-09 13:06:07,188 ERROR [NugetMetaAnalyzer] Request failure
java.net.URISyntaxException: Illegal character in path at index 45: https://api.nuget.org/v3-flatcontainer/simple launcher/index.json
	at java.base/java.net.URI$Parser.fail(Unknown Source)
	at java.base/java.net.URI$Parser.checkChars(Unknown Source)
	at java.base/java.net.URI$Parser.parseHierarchical(Unknown Source)
	at java.base/java.net.URI$Parser.parse(Unknown Source)
	at java.base/java.net.URI.<init>(Unknown Source)
	at org.apache.http.client.utils.URIBuilder.<init>(URIBuilder.java:82)
	at org.dependencytrack.tasks.repositories.AbstractMetaAnalyzer.processHttpRequest(AbstractMetaAnalyzer.java:105)
	at org.dependencytrack.tasks.repositories.NugetMetaAnalyzer.performVersionCheck(NugetMetaAnalyzer.java:108)
	at org.dependencytrack.tasks.repositories.NugetMetaAnalyzer.analyze(NugetMetaAnalyzer.java:99)
	at org.dependencytrack.tasks.repositories.RepositoryMetaAnalyzerTask.analyze(RepositoryMetaAnalyzerTask.java:179)
	at org.dependencytrack.tasks.repositories.RepositoryMetaAnalyzerTask.lambda$analyze$0(RepositoryMetaAnalyzerTask.java:123)
	at io.github.resilience4j.retry.Retry.lambda$decorateCallable$5(Retry.java:237)
	at io.github.resilience4j.retry.Retry.executeCallable(Retry.java:373)
	at org.dependencytrack.util.CacheStampedeBlocker.readThroughOrPopulateCache(CacheStampedeBlocker.java:201)
	at org.dependencytrack.tasks.repositories.RepositoryMetaAnalyzerTask.analyze(RepositoryMetaAnalyzerTask.java:128)
	at org.dependencytrack.tasks.repositories.RepositoryMetaAnalyzerTask.inform(RepositoryMetaAnalyzerTask.java:93)
	at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:110)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.base/java.lang.Thread.run(Unknown Source)
2024-05-09 13:06:07,190 WARN [CacheStampedeBlocker] An error occurred while populating cache repositoryMetaCache for key pkg:nuget/Simple%20Launcher@1.1.0.14 : java.lang.NullPointerException: Cannot invoke "org.apache.http.client.methods.CloseableHttpResponse.getStatusLine()" because "response" is null
org.dependencytrack.exception.MetaAnalyzerException: java.lang.NullPointerException: Cannot invoke "org.apache.http.client.methods.CloseableHttpResponse.getStatusLine()" because "response" is null
	at org.dependencytrack.tasks.repositories.NugetMetaAnalyzer.performVersionCheck(NugetMetaAnalyzer.java:124)
	at org.dependencytrack.tasks.repositories.NugetMetaAnalyzer.analyze(NugetMetaAnalyzer.java:99)
	at org.dependencytrack.tasks.repositories.RepositoryMetaAnalyzerTask.analyze(RepositoryMetaAnalyzerTask.java:179)
	at org.dependencytrack.tasks.repositories.RepositoryMetaAnalyzerTask.lambda$analyze$0(RepositoryMetaAnalyzerTask.java:123)
	at io.github.resilience4j.retry.Retry.lambda$decorateCallable$5(Retry.java:237)
	at io.github.resilience4j.retry.Retry.executeCallable(Retry.java:373)
	at org.dependencytrack.util.CacheStampedeBlocker.readThroughOrPopulateCache(CacheStampedeBlocker.java:201)
	at org.dependencytrack.tasks.repositories.RepositoryMetaAnalyzerTask.analyze(RepositoryMetaAnalyzerTask.java:128)
	at org.dependencytrack.tasks.repositories.RepositoryMetaAnalyzerTask.inform(RepositoryMetaAnalyzerTask.java:93)
	at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:110)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.base/java.lang.Thread.run(Unknown Source)
Caused by: java.lang.NullPointerException: Cannot invoke "org.apache.http.client.methods.CloseableHttpResponse.getStatusLine()" because "response" is null
	at org.dependencytrack.tasks.repositories.NugetMetaAnalyzer.performVersionCheck(NugetMetaAnalyzer.java:109)
	... 12 common frames omitted
2024-05-09 13:06:08,418 INFO [PolicyEngine] Policy analysis complete

Steps to Reproduce

  1. Upload SBOM with the CPE/PURL shown above.

Expected Behavior

Dependencytrack properly handles the analysis.

Dependency-Track Version

4.11.0

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Apple Safari

Checklist
@peterloron peterloron added defect Something isn't working in triage labels May 9, 2024
@nscuro nscuro added p2 Non-critical bugs, and features that help organizations to identify and reduce risk good first issue Good for newcomers size/S Small effort and removed in triage labels May 10, 2024
@nscuro
Copy link
Member

nscuro commented May 10, 2024

Similar issue was fixed for NPM in v4.11: #3456

@laurentiu-ghergu
Copy link

I am interested in working on this one. Please assign me if possible. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@laurentiu-ghergu laurentiu-ghergu

Labels
defect Something isn't working good first issue Good for newcomers p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@peterloron @laurentiu-ghergu @nscuro