Downloading installer tries to download a non existing tag

[PascalTurbo]

Today the downloader fails with the following error.

Downloading Dependency Check latest installer from GitHub..
Cannot read property 'find' of undefined
##[error]Cannot read property 'find' of undefined
##[error]Unhandled error condition detected.

When analyzing the code it seems that it tries to download https://api.github.com/repos/jeremylong/DependencyCheck/releases/tags/vlatest but that tag "vlatest" doesn't exist.

[dave-sampson13]

Not sure if anyone is still interested in this issue, but we've been encountering it for the last few days, but it has since gone away again - most frustrating!

The code may have changed since the issue was originally created, as I can see that at the following line, if the version is set to its default, 'latest', then it uses a different URL to what is cited when this issue was created:

azuredevops/src/Tasks/dependency-check-build-task/dependency-check-build-task.ts

Line 284 in ec3d0e5

if (version == 'latest') url = `${releaseApi}/${version}`;

It is instead https://api.github.com/repos/jeremylong/DependencyCheck/releases/latest, which I've confirmed does indeed exist, and following the code through it should be able to successfully locate the asset with content-type == 'application/zip':

azuredevops/src/Tasks/dependency-check-build-task/dependency-check-build-task.ts

Line 288 in ec3d0e5

let asset = releaseInfo['assets'].find(asset => asset['content_type'] == 'application/zip');

It's hard to tell as there's not a lot of error handling, but you'd assume that the code is successfully retrieving something from that URL, it just can't locate the correct asset. Given it occurs sporadically, I did wonder also whether it may be hitting some kind of GitHub API rate limit, but then I'd probably expect a different error i.e. the HttpClient wouldn't receive a 200 OK back in that case, but given there's no code explicitly checking the HTTP status code of the response, I don't know if the HttpClient being used throws an error for a non-200 response, or whether this is actually something that should be being explicitly checked - or at least logged?

Anyway, a bit more information for if/when this occurs again in the future.

[ehornby]

Encountering this issue pretty frequently of late, I've done some more digging. It looks like the client used here doesn't throw for non-200 status codes:

https://www.npmjs.com/package/typed-rest-client

Which tracks with what's coming back from the API when a non-existent version tag is requested:

Rate limiting seems to make some amount of sense I think? Given the intermittent nature and the fact that it will work and then not work for the exact same pipeline for seemingly no reason.

[Saturate]

Does anyone of you still have this issue? If so I'll look into it - otherwise I'll close this issue.

[Johnyb32]

Does anyone of you still have this issue? If so I'll look into it - otherwise I'll close this issue.

I'm getting intermittent failures with the dependency check extension from the Visual Studio Marketplace in the Azure DevOps pipeline.

Here is the output:

Starting: Run dependency security checks

Task : OWASP Dependency Check
Description : Dependency Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies.
Version : 6.1.3
Author : Dependency Check
Help : More Information

Starting Dependency Check...
Setting report directory to /azp/_work/16/s/depedancy-check-results/
Creating report directory at /azp/_work/16/s/depedancy-check-results/
Downloading Dependency Check latest installer from GitHub..
Cannot read property 'find' of undefined
##[error]Cannot read property 'find' of undefined
##[error]Unhandled error condition detected.
Ending Dependency Check...
Finishing: Run dependency security checks

[Saturate]

Will take another look at this once we get the new pipeline for our build up and running.