Details
Bug
Closed
Major
Description
A Jenkins user reported a stack trace ending in the following (the rest involves a particular plugin):
java.lang.NullPointerException at com.thoughtworks.xstream.converters.ConversionException.add(ConversionException.java:65) at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1066) at hudson.util.XStream2.unmarshal(XStream2.java:109) at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1045) at hudson.XmlFile.unmarshal(XmlFile.java:166)
Here it seems that pkg.getImplementationVersion() is null in unmarshal yet that condition is not checked for. This is using Jenkins's patched version of XStream, but I checked the trunk sources of the official version and the same code is used, so theoretically it is equally vulnerable.
Activity
Jesse Glick
added a comment - https://github.com/jenkinsci/xstream/commit/f669b433e02a98d8527c3f9e8a35873cb2a17700 Actually this already fixed in trunk. The real reason was that XStream's manifest was lacking nearly all information (see https://fisheye.codehaus.org/changelog/xstream/?cs=2043).
Jörg Schaible
added a comment - Actually this already fixed in trunk. The real reason was that XStream's manifest was lacking nearly all information (see https://fisheye.codehaus.org/changelog/xstream/?cs=2043 ). Well adding such information to the manifest should make the issue less likely, but the code remains fragile since it could continue to fail when the classes were packaged in various alternative ways, e.g. Maven Shade plugin.
Jesse Glick
added a comment - Well adding such information to the manifest should make the issue less likely, but the code remains fragile since it could continue to fail when the classes were packaged in various alternative ways, e.g. Maven Shade plugin. ...which is why I suggest applying my patch, which merely corrects a null safety issue and should be harmless if the package version is in fact set.
Jesse Glick
added a comment - - edited ...which is why I suggest applying my patch, which merely corrects a null safety issue and should be harmless if the package version is in fact set. Applied to trunk.
Jörg Schaible
added a comment - Applied to trunk. Jesse Glick
added a comment - FYI: https://issues.jenkins-ci.org/browse/JENKINS-17248 
Perhaps something to do with the plugin calling hierarchicalStreamWriter.addAttribute("version", ...). Seems that the error is only triggered when (a) information == null, (b) this is not the first time you are adding an attribute of that name to this exception. The first condition seems normal enough; in fact it is true during the module's unit tests. I am not sure what would cause the second condition, however.