azuredevops
azuredevops copied to clipboard
dependency-check
Downloading installer tries to download a non existing tag
Today the downloader fails with the following error.
Downloading Dependency Check latest installer from GitHub..
Cannot read property 'find' of undefined
##[error]Cannot read property 'find' of undefined
##[error]Unhandled error condition detected.
When analyzing the code it seems that it tries to download https://api.github.com/repos/jeremylong/DependencyCheck/releases/tags/vlatest but that tag "vlatest" doesn't exist.
Not sure if anyone is still interested in this issue, but we've been encountering it for the last few days, but it has since gone away again - most frustrating!
The code may have changed since the issue was originally created, as I can see that at the following line, if the version is set to its default, 'latest', then it uses a different URL to what is cited when this issue was created: https://github.com/dependency-check/azuredevops/blob/ec3d0e53f8be4feeb48eb97be9df71b01767baed/src/Tasks/dependency-check-build-task/dependency-check-build-task.ts#L284
It is instead https://api.github.com/repos/jeremylong/DependencyCheck/releases/latest, which I've confirmed does indeed exist, and following the code through it should be able to successfully locate the asset with content-type == 'application/zip':
https://github.com/dependency-check/azuredevops/blob/ec3d0e53f8be4feeb48eb97be9df71b01767baed/src/Tasks/dependency-check-build-task/dependency-check-build-task.ts#L288
It's hard to tell as there's not a lot of error handling, but you'd assume that the code is successfully retrieving something from that URL, it just can't locate the correct asset. Given it occurs sporadically, I did wonder also whether it may be hitting some kind of GitHub API rate limit, but then I'd probably expect a different error i.e. the HttpClient wouldn't receive a 200 OK back in that case, but given there's no code explicitly checking the HTTP status code of the response, I don't know if the HttpClient being used throws an error for a non-200 response, or whether this is actually something that should be being explicitly checked - or at least logged?
Anyway, a bit more information for if/when this occurs again in the future.
Encountering this issue pretty frequently of late, I've done some more digging. It looks like the client used here doesn't throw for non-200 status codes:
https://www.npmjs.com/package/typed-rest-client
Which tracks with what's coming back from the API when a non-existent version tag is requested:
Rate limiting seems to make some amount of sense I think? Given the intermittent nature and the fact that it will work and then not work for the exact same pipeline for seemingly no reason.
Does anyone of you still have this issue? If so I'll look into it - otherwise I'll close this issue.
Does anyone of you still have this issue? If so I'll look into it - otherwise I'll close this issue.
I'm getting intermittent failures with the dependency check extension from the Visual Studio Marketplace in the Azure DevOps pipeline.
Here is the output:
Starting: Run dependency security checks
Task : OWASP Dependency Check Description : Dependency Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies. Version : 6.1.3 Author : Dependency Check Help : More Information
Starting Dependency Check... Setting report directory to /azp/_work/16/s/depedancy-check-results/ Creating report directory at /azp/_work/16/s/depedancy-check-results/ Downloading Dependency Check latest installer from GitHub.. Cannot read property 'find' of undefined ##[error]Cannot read property 'find' of undefined ##[error]Unhandled error condition detected. Ending Dependency Check... Finishing: Run dependency security checks
Will take another look at this once we get the new pipeline for our build up and running.