[jira] [Created] (MSHARED-998) NPE when resolving dependencies with PatternInclusionsFilter that holds a pattern with a classifier

Tue, 05 Oct 2021 13:06:07 -0700 

Hans Aikema created MSHARED-998:
-----------------------------------

             Summary: NPE when resolving dependencies with 
PatternInclusionsFilter that holds a pattern with a classifier
                 Key: MSHARED-998
                 URL: https://issues.apache.org/jira/browse/MSHARED-998
             Project: Maven Shared Components
          Issue Type: Improvement
          Components: maven-artifact-transfer
    Affects Versions: maven-artifact-transfer-0.13.1
            Reporter: Hans Aikema


After migrating from ArtifactResolver to DependencyResolver in OWASP 
DependencyCheck in order to properly take repositories into account that are 
expected to be added by the ancestry of a transitive dependency we received 
notifications of NullPointerExceptions during dependencyresolution in our 
plugin.

Analysis has led me to believe that its rootcause is a bug in 
Maven31DependencyResolver.

The issues in our project:

[https://github.com/jeremylong/DependencyCheck/issues/3679]

[https://github.com/jeremylong/DependencyCheck/issues/3694]

We call [resolveDependencies(ProjectBuildingRequest , Collection<Dependency> , 
Collection<Dependency>, 
TransformableFilter)|https://github.com/apache/maven-artifact-transfer/blob/ea7e7af3a97dda668166c481c3eb075bca5b51d6/maven-artifact-transfer-api/src/main/java/org/apache/maven/shared/transfer/dependencies/resolve/DependencyResolver.java#L76]
 with an 
org.apache.maven.shared.artifact.filter.resolve.PatternInclusionsFilter.

This works fine for a pattern {{<group>:<artifact>:<extension>:<version>}}, but 
fails with an NPE for a pattern 
{{<group>:<artifact>:<extension>:<classifier>:<version>}}.

Maven31DependencyResolver implementation creates a root-less CollectRequest 
which is transformed into a DependencyRequest that is offered to the 
RepositorySystem.

The rootless (no {{root}} and no {{rootArtifact}}) CollectRequest results in a 
null-filled {{new DefaultDependencyNode(null)}} root to be received in the 
CollectResult in DefaultRepositorySystem.

This null-artifact root of the CollectResult than triggers the NPE (inside the 
filter constructed inside newAdvancedPatternInclusionFilter of 
org.apache.maven.shared.artifact.filter.resolve.transform.EclipseAetherFilterTransformer)
 when that filter tries to determine the classifier of the rootNode when the 
filtering visitor starts traversing the tree.







--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to