AnalysisException: java.lang.NullPointerException after 7.1.2 Update

[helloingob]

trafficstars

Describe the bug We use Dependency Check as an Azure Task and after the update from 7.1.1 to 7.1.2 it fails with a java.lang.NullPointerException in MSBuildProjectAnalyzer. We DID NOT update/change our code, especially not the csproj file.

Version of dependency-check used owasp-dependency-check 7.1.2 x64

- task: OWASPDependencyCheck@0
  inputs:
    outputDirectory: '$(Agent.TempDirectory)/dependency-scan-results'
    scanDirectory: '$(Build.SourcesDirectory)'
    outputFormat: 'ALL'
    useSonarQubeIntegration: true
    additionalArguments: |
      --log $(Build.ArtifactStagingDirectory)/owasp.log

Log

WARN  - An error occurred while analyzing 'D:\a\1\s\XXX\XXX.csproj' (MSBuild Project Analyzer).
2022-08-23 14:01:45,990 org.owasp.dependencycheck.AnalysisTask:91
DEBUG - 
org.owasp.dependencycheck.analyzer.exception.AnalysisException: java.lang.NullPointerException
	at org.owasp.dependencycheck.analyzer.MSBuildProjectAnalyzer.analyzeDependency(MSBuildProjectAnalyzer.java:174)
	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:750)
Caused by: java.lang.NullPointerException: null
	at org.owasp.dependencycheck.data.nuget.XPathMSBuildProjectParser.parse(XPathMSBuildProjectParser.java:74)
	at org.owasp.dependencycheck.analyzer.MSBuildProjectAnalyzer.analyzeDependency(MSBuildProjectAnalyzer.java:120)
	... 7 common frames omitted

DEBUG - unexpected error
org.owasp.dependencycheck.analyzer.exception.AnalysisException: java.lang.NullPointerException
	at org.owasp.dependencycheck.analyzer.MSBuildProjectAnalyzer.analyzeDependency(MSBuildProjectAnalyzer.java:174)
	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:750)
Caused by: java.lang.NullPointerException: null
	at org.owasp.dependencycheck.data.nuget.XPathMSBuildProjectParser.parse(XPathMSBuildProjectParser.java:74)
	at org.owasp.dependencycheck.analyzer.MSBuildProjectAnalyzer.analyzeDependency(MSBuildProjectAnalyzer.java:120)
	... 7 common frames omitted
2022-08-23 14:02:13,241 org.owasp.dependencycheck.utils.Settings:825
DEBUG - Deleting ALL temporary files from `C:\Users\VSSADM~1\AppData\Local\Temp\dctempf9284a0c-d4b9-473c-8c57-b7d142ba9efe`
2022-08-23 14:02:13,241 org.owasp.dependencycheck.App:88
DEBUG - Exit code: -14

To Reproduce Rerun the task. I know this doesn't help much, but since we didn't change anything I don't know how to reproduce it properly.

Expected behavior That it runs again like the 7.1.1 version

[mprins]

Seems a regression from #4678 that doesn't consider a missing version element

[helloingob]

  <ItemGroup>
    <PackageReference Include="WPI_UXT_ShelfVariantNumber" version="1.0.3" />
    <PackageReference Include="System.Resources.Extensions" Version="6.0.0" />
  </ItemGroup>

We use our references like this.

[mprins]

I notice that 1st line does not have "Version", but "version"

[helloingob]

You are right. I updated every "version" to "Version" and now it is working without an exception.

The compiler doesn't mind if it is upper- or lowercase, so probably the parser should be fixed anyway.

Thank you for your help :)

[echalone]

I can confirm that this is due to a missing version Element or Attribute for a package reference.

We still need this fixed (even if the original poster has his problem fixed) because we are not using the "Version" element or attribute for one of our packages for which the version is centrally managed. The scanner doesn't seem to recognize options to centrally manage package versions, for example in a Directory.Build.targets file somewhere in a parent directory (as we do) or any other method described here: https://www.mytechramblings.com/posts/centrally-manage-nuget-versions/

So at least as long as that is not the case, the scanner should not crash because of a missing package version (though it shouldn't crash because of that anyways). Because of that no dependency check report is uploaded to our builds at the moment. So we are still having problems with this and cannot "fix" our code cause there's nothing to fix for us, we're using a documented and approved versioning method for packages.

[kipusoep]

We ran into the same issue, changed the version to Version for now.

[echalone]

I've created a pull request https://github.com/jeremylong/DependencyCheck/pull/4796 that will fix the bug introduced with PR https://github.com/jeremylong/DependencyCheck/pull/4678 (thanks @mprins for pointing to this PR, helped a lot). Note: Lower case version elements/attributes weren't interpreted before either, it just didn't throw a NullPointerException. This behaviour as well as that there's no more exception thrown on missing version elements/attributes will be restored with this PR. In the future it may be wise to extend the functionality to check for the MSBuild xml elements case insensitive, but that would go beyond this bugfix.

[aikebah]

Fix was merged and released with 7.2.0