cyclonedx-dotnet
cyclonedx-dotnet copied to clipboard
CycloneDX
NullReferenceException after 5.1.0 update
Running a pipeline this evening with the install cmd:
- task: CmdLine@2
displayName: 'Install CycloneDX CLI'
inputs:
script: |
dotnet tool install --global CycloneDX
And running the tool with
- task: CmdLine@2
displayName: 'Generate CycloneDX BOM'
inputs:
script: |
dotnet-CycloneDX ./src/MySolution.sln --exclude-test-projects --output $(Build.ArtifactStagingDirectory)/bom
I now receive the follow exception when running with version 5.1.0:
Removed transitive dependency Microsoft.Extensions.Dependencyinjection.Abstractions from FluentValidation.DependencyInjectionExtensions
Found 359 packages
Unhandled exception: System.NullReferenceException: Object reference not set to an instance of an object.
at CycloneDX.Services.NugetV3Service.GetComponentAsync(String name, String version, Nullable`1 scope) in /home/runner/work/cyclonedx-dotnet/cyclonedx-dotnet/CycloneDX/Services/NugetV3Service.cs:line 275
at CycloneDX.Services.NugetV3Service.GetComponentAsync(DotnetDependency DotnetDependency) in /home/runner/work/cyclonedx-dotnet/cyclonedx-dotnet/CycloneDX/Services/NugetV3Service.cs:line 447
at CycloneDX.Runner.HandleCommandAsync(RunOptions options) in /home/runner/work/cyclonedx-dotnet/cyclonedx-dotnet/CycloneDX/Runner.cs:line 285
at CycloneDX.Program.<>c__DisplayClass0_0.<<Main>b__2>d.MoveNext() in /home/runner/work/cyclonedx-dotnet/cyclonedx-dotnet/CycloneDX/Program.cs:line 140
--- End of stack trace from previous location ---
at System.CommandLine.Invocation.AnonymousCommandHandler.InvokeAsync(InvocationContext context)
at System.CommandLine.Invocation.AnonymousCommandHandler.SyncUsingAsync(InvocationContext context)
at System.CommandLine.Invocation.AnonymousCommandHandler.Invoke(InvocationContext context)
at System.CommandLine.Invocation.InvocationPipeline.<>c__DisplayClass4_0.<<BuildInvocationChain>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass17_0.<<UseParseErrorReporting>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass12_0.<<UseHelp>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass22_0.<<UseVersionOption>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass19_0.<<UseTypoCorrections>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<<UseSuggestDirective>b__18_0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass16_0.<<UseParseDirective>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<<RegisterWithDotnetSuggest>b__5_0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass8_0.<<UseExceptionHandler>b__0>d.MoveNext()
The exception came in the logs right after a test project (.net8.0)
» Analyzing: /home/vsts/work/1/s/src/Test/Test.csproj
Skipping: /home/vsts/work/1/s/src/Test/Test.csproj
The test proj references:
<PackageReference Include="AutoBogus" Version="2.13.1" />
<PackageReference Include="coverlet.msbuild" Version="3.1.2">
<PrivateAssets>all</PrivateAssets>
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
</PackageReference>
<PackageReference Include="Microsoft.AspNet.WebApi.Client" Version="5.2.9" />
<PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="7.0.10" />
<PackageReference Include="Moq" Version="[4.18.4]" />
<PackageReference Include="morelinq" Version="3.4.2" />
<PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
<PackageReference Include="NUnit" Version="4.3.2" />
<PackageReference Include="NUnit3TestAdapter" Version="5.0.0" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.7.0" />
<PackageReference Include="System.Net.Http" Version="4.3.4" />
<PackageReference Include="System.Text.Json" Version="8.0.5" />
<PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
And the project references:
<PackageReference Include="FluentValidation" Version="11.1.0" />
<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="8.0.0" />
<PackageReference Include="Microsoft.Identity.Client" Version="4.68.0" />
<PackageReference Include="Microsoft.OData.Client" Version="7.17.0" />
<PackageReference Include="Microsoft.OData.Core" Version="7.17.0" />
<PackageReference Include="Microsoft.OData.Edm" Version="7.17.0" />
<PackageReference Include="Microsoft.OData.Extensions.Client" Version="1.0.6" />
<PackageReference Include="Microsoft.OData.Extensions.Client.Abstractions" Version="1.0.6" />
<PackageReference Include="OneOf" Version="3.0.255" />
Didn't have time to gather much info, but resolved it for now by downgrading again using the previous version:
- task: CmdLine@2
displayName: 'Install CycloneDX CLI'
inputs:
script: |
dotnet tool install --global --version 5.0.1 CycloneDX
A guess from the error message would be that it's related to 934
Thank you for reporting, great level of details. Bug should be fixed any moment.
I noticed this in your output:
Removed transitive dependency Microsoft.Extensions.Dependencyinjection.Abstractions from FluentValidation.DependencyInjectionExtensions, which is something I just implemented and didn't expect to see often.
Could you maybe check if your 5.0.1 SBOMs include the package Microsoft.Extensions.Dependencyinjection.Abstractions?
No problem :)
Checking the BOM xml output I see Microsoft.Extensions.Dependencyinjection.Abstractions referenced in versions: @3.1.18 @8.0.0 @8.0.2