Describe the bug
When you have a csproj file that has PackageReference with a Remove attribute, DependencyCheck fails with a NullPointerException.
Version of dependency-check used
6.0.4 in Azure Devops, which is the cli version, if I'm not mistaking.
Log file
Log in reproduction steps.
To Reproduce
Steps to reproduce the behavior:
Have a csproj like this where the PackageReference with Remove attribute is the important one
<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
<TargetFramework>net6.0</TargetFramework>
<AspNetCoreHostingModel>InProcess</AspNetCoreHostingModel>
<UserSecretsId>bad443ff-023c-47a3-85b1-70734cd44900</UserSecretsId>
<DockerDefaultTargetOS>Linux</DockerDefaultTargetOS>
<LangVersion>10</LangVersion>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.7.9" />
<PackageReference Remove="Microsoft.NETCore.App" />
</ItemGroup>
<ItemGroup>
<Folder Include="wwwroot\reports\" />
</ItemGroup>
</Project>Run a scan and see this exception in the console
[WARN] An error occurred while analyzing '/azp/agent/_work/1/s/***/***.csproj' (MSBuild Project Analyzer).
...
[INFO] Writing report to: /azp/agent/_work/1/a/dependency-check-report.html
[INFO] Writing report to: /azp/agent/_work/1/a/dependency-check-junit.xml
[ERROR] java.lang.NullPointerException
Dependency Check completed with exit code 242.
Dependency Check reports:
[ '/azp/agent/_work/1/a/dependency-check-junit.xml',
'/azp/agent/_work/1/a/dependency-check-report.html' ]
Dependency Check failed with message "Dependency Check exited with an error code (exit code: 242)."
##[error]Dependency Check exited with an error code (exit code: 242).
And this in the log on the agent:
org.owasp.dependencycheck.analyzer.exception.AnalysisException: java.lang.NullPointerException
at org.owasp.dependencycheck.analyzer.MSBuildProjectAnalyzer.analyzeDependency(MSBuildProjectAnalyzer.java:174)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.lang.NullPointerException: null
at org.owasp.dependencycheck.data.nuget.XPathMSBuildProjectParser.parse(XPathMSBuildProjectParser.java:71)
at org.owasp.dependencycheck.analyzer.MSBuildProjectAnalyzer.analyzeDependency(MSBuildProjectAnalyzer.java:120)
... 7 common frames omitted
Expected behavior
The scan to complete successully.
Describe the bug
When you have a csproj file that has PackageReference with a Remove attribute, DependencyCheck fails with a NullPointerException.
Version of dependency-check used
6.0.4 in Azure Devops, which is the cli version, if I'm not mistaking.
Log file
Log in reproduction steps.
To Reproduce
Steps to reproduce the behavior:
Have a csproj like this where the PackageReference with Remove attribute is the important one
Run a scan and see this exception in the console
And this in the log on the agent:
Expected behavior
The scan to complete successully.