Skip to content

Error in CacheStampedeBlocker for pre-release only NuGet packages #5075

New issue
New issue
Closed
#5264
Closed
Error in CacheStampedeBlocker for pre-release only NuGet packages#5075
#5264
Labels
defectSomething isn't workinggood first issueGood for newcomersp2Non-critical bugs, and features that help organizations to identify and reduce risksize/SSmall effort
Milestone
4.13.5
@qhris

Description

@qhris
qhris
opened on Jun 25, 2025

Current Behavior

When checking the logs in DT, I can see the following:

2025-06-25 13:33:04,952 WARN [CacheStampedeBlocker] An error occurred while populating cache repositoryMetaCache for key pkg:nuget/[email protected] : Cannot invoke "String.length()" because "<parameter1>" is null
java.lang.NullPointerException: Cannot invoke "String.length()" because "<parameter1>" is null
    at java.base/java.net.URLEncoder.encode(Unknown Source)
    at org.dependencytrack.tasks.repositories.AbstractMetaAnalyzer.urlEncode(AbstractMetaAnalyzer.java:84)
    at org.dependencytrack.tasks.repositories.NugetMetaAnalyzer.performLastPublishedCheck(NugetMetaAnalyzer.java:161)
    at org.dependencytrack.tasks.repositories.NugetMetaAnalyzer.analyze(NugetMetaAnalyzer.java:101)
    at org.dependencytrack.tasks.repositories.RepositoryMetaAnalyzerTask.analyze(RepositoryMetaAnalyzerTask.java:196)
    at org.dependencytrack.tasks.repositories.RepositoryMetaAnalyzerTask.lambda$analyze$0(RepositoryMetaAnalyzerTask.java:139)
    at io.github.resilience4j.retry.Retry.lambda$decorateCallable$5(Retry.java:237)
    at io.github.resilience4j.retry.Retry.executeCallable(Retry.java:373)
    at org.dependencytrack.util.CacheStampedeBlocker.readThroughOrPopulateCache(CacheStampedeBlocker.java:201)
    at org.dependencytrack.tasks.repositories.RepositoryMetaAnalyzerTask.analyze(RepositoryMetaAnalyzerTask.java:144)
    at org.dependencytrack.tasks.repositories.RepositoryMetaAnalyzerTask.inform(RepositoryMetaAnalyzerTask.java:102)
    at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:110)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.base/java.lang.Thread.run(Unknown Source)

From what I can tell, meta.getLatestVersion() is null and is passed to urlEncode.

Steps to Reproduce

  1. Analyze a .NET project with a NuGet package that only has beta releases. E.g. OpenTelemetry.Instrumentation.SqlClient
  2. See dependencytrack error logs

Expected Behavior

DependencyTrack should not throw errors for packages with only pre-release packages.

For some reason, the SQL intrumentation pacakges for OpenTelemetry never had a full release, and I think something broke when DT fixed pre-release packages showing up as the latest version.

Dependency-Track Version

4.13.2

Dependency-Track Distribution

Container Image

Database Server

N/A

Database Server Version

N/A

Browser

N/A

Checklist

Metadata

Metadata

Assignees

No one assigned

    Labels

    defectSomething isn't workinggood first issueGood for newcomersp2Non-critical bugs, and features that help organizations to identify and reduce risksize/SSmall effort

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions