[jira] [Created] (MNG-7375) Potential NPE in org.apache.maven.artifact.repository.metadata.Metadata.merge(...) with invalid metadata

Mon, 27 Dec 2021 02:20:07 -0800 

Konrad Windszus created MNG-7375:
------------------------------------

             Summary: Potential NPE in 
org.apache.maven.artifact.repository.metadata.Metadata.merge(...) with invalid 
metadata
                 Key: MNG-7375
                 URL: https://issues.apache.org/jira/browse/MNG-7375
             Project: Maven
          Issue Type: Improvement
          Components: Artifacts and Repositories
    Affects Versions: 3.8.4
            Reporter: Konrad Windszus


Currently the metadata at 
https://repository.apache.org/service/local/repositories/snapshots/content/org/apache/jackrabbit/maven-metadata.xml
 contains an invalid entry without a prefix:
{code}
<metadata>
<plugins>
<plugin>
<name>Apache Jackrabbit FileVault - Package Maven Plugin</name>
<prefix>filevault-package</prefix>
<artifactId>filevault-package-maven-plugin</artifactId>
</plugin>
<plugin>
<name>filevault-package-maven-plugin</name>
<artifactId>filevault-package-maven-plugin</artifactId>
</plugin>
</plugins>
</metadata>
{code}

This leads to an NPE when trying to deploy a new version with 
{{org.apache.maven.artifact.deployer.DefaultArtifactDeployer.deploy(...)}}:

{code}
Caused by: java.lang.NullPointerException
    at org.apache.maven.artifact.repository.metadata.Metadata.merge 
(Metadata.java:276)
    at 
org.apache.maven.artifact.repository.metadata.AbstractRepositoryMetadata.updateRepositoryMetadata
 (AbstractRepositoryMetadata.java:121)
    at 
org.apache.maven.artifact.repository.metadata.AbstractRepositoryMetadata.storeInLocalRepository
 (AbstractRepositoryMetadata.java:67)
    at org.apache.maven.artifact.repository.metadata.MetadataBridge.merge 
(MetadataBridge.java:65)
    at org.eclipse.aether.internal.impl.DefaultDeployer.upload 
(DefaultDeployer.java:433)
    at org.eclipse.aether.internal.impl.DefaultDeployer.deploy 
(DefaultDeployer.java:321)
    at org.eclipse.aether.internal.impl.DefaultDeployer.deploy 
(DefaultDeployer.java:213)
    at org.eclipse.aether.internal.impl.DefaultRepositorySystem.deploy 
(DefaultRepositorySystem.java:386)
    at org.apache.maven.artifact.deployer.DefaultArtifactDeployer.deploy 
(DefaultArtifactDeployer.java:142)
{code}

Although this happened in the context of using 
"org.sonatype.plugins:nexus-staging-maven-plugin:1.6.8" 
(https://issues.sonatype.org/browse/NEXUS-30749) the affected code is in Maven 
and should be more robust.

Although the metadata is probably invalid, the Metadata class should be more 
robust when trying to do the merge in 
https://github.com/apache/maven/blob/951b5ee95f40147abbc2bb9d928e408b85d5aef3/maven-repository-metadata/src/main/mdo/metadata.mdo#L100




--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to