[jira] [Commented] (MNG-7375) Potential NPE in org.apache.maven.artifact.repository.metadata.Metadata.merge(...) with invalid/incomplete plugin metadata

[Konrad Windszus (Jira)]

    [ 
https://issues.apache.org/jira/browse/MNG-7375?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17465710#comment-17465710
 ] 

Konrad Windszus commented on MNG-7375:
--------------------------------------

bq. Where do you have the optional from?

>From the [XSD|https://maven.apache.org/xsd/repository-metadata-1.1.0.xsd]:
{code}
<xs:element minOccurs="0" name="prefix" type="xs:string">
{code}
IMHO the XSD together with 
https://maven.apache.org/ref/3.8.4/maven-repository-metadata/repository-metadata.html
 is the spec.

But even in case it is required an invalid metadata should not lead to an NPE.

> Potential NPE in 
> org.apache.maven.artifact.repository.metadata.Metadata.merge(...) with 
> invalid/incomplete plugin metadata
> --------------------------------------------------------------------------------------------------------------------------
>
>                 Key: MNG-7375
>                 URL: https://issues.apache.org/jira/browse/MNG-7375
>             Project: Maven
>          Issue Type: Improvement
>          Components: Artifacts and Repositories
>    Affects Versions: 3.8.4
>            Reporter: Konrad Windszus
>            Priority: Major
>
> Currently the metadata at 
> https://repository.apache.org/service/local/repositories/snapshots/content/org/apache/jackrabbit/maven-metadata.xml
>  contains an invalid entry without a prefix:
> {code}
> <metadata>
> <plugins>
> <plugin>
> <name>Apache Jackrabbit FileVault - Package Maven Plugin</name>
> <prefix>filevault-package</prefix>
> <artifactId>filevault-package-maven-plugin</artifactId>
> </plugin>
> <plugin>
> <name>filevault-package-maven-plugin</name>
> <artifactId>filevault-package-maven-plugin</artifactId>
> </plugin>
> </plugins>
> </metadata>
> {code}
> This leads to an NPE when trying to deploy a new version with 
> {{org.apache.maven.artifact.deployer.DefaultArtifactDeployer.deploy(...)}}:
> {code}
> Caused by: java.lang.NullPointerException
>     at org.apache.maven.artifact.repository.metadata.Metadata.merge 
> (Metadata.java:276)
>     at 
> org.apache.maven.artifact.repository.metadata.AbstractRepositoryMetadata.updateRepositoryMetadata
>  (AbstractRepositoryMetadata.java:121)
>     at 
> org.apache.maven.artifact.repository.metadata.AbstractRepositoryMetadata.storeInLocalRepository
>  (AbstractRepositoryMetadata.java:67)
>     at org.apache.maven.artifact.repository.metadata.MetadataBridge.merge 
> (MetadataBridge.java:65)
>     at org.eclipse.aether.internal.impl.DefaultDeployer.upload 
> (DefaultDeployer.java:433)
>     at org.eclipse.aether.internal.impl.DefaultDeployer.deploy 
> (DefaultDeployer.java:321)
>     at org.eclipse.aether.internal.impl.DefaultDeployer.deploy 
> (DefaultDeployer.java:213)
>     at org.eclipse.aether.internal.impl.DefaultRepositorySystem.deploy 
> (DefaultRepositorySystem.java:386)
>     at org.apache.maven.artifact.deployer.DefaultArtifactDeployer.deploy 
> (DefaultArtifactDeployer.java:142)
> {code}
> Although this happened in the context of using 
> "org.sonatype.plugins:nexus-staging-maven-plugin:1.6.8" 
> (https://issues.sonatype.org/browse/NEXUS-30749) the affected code is in 
> Maven.
> The metadata is probably invalid but the Metadata class should be more robust 
> when trying to do the merge in 
> https://github.com/apache/maven/blob/951b5ee95f40147abbc2bb9d928e408b85d5aef3/maven-repository-metadata/src/main/mdo/metadata.mdo#L100
>  and just ignore all plugin entries without all mandatory elements.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)