Getting database connection error (NPE in DatabaseManager.getConnection ) while trying to run from Gitlab CICD

[KrishnenduDas1987]

Running dependency check with a NVD Apikey from Gitlab CICD environment is giving the following error without any clear explanation. Version we are using 12.1.9.

This might be because of connection pooling issue while trying to save into the h2 database, but didn't find any option to increase the pool size. Surprisingly it's not getting any error while running from local setup and also able to connect and see the data in the database with userid "dcuser"

6133 [INFO] Downloaded 10,000/320,367 (3%)
24155 [INFO] Downloaded 20,000/320,367 (6%)
33155 [INFO] Downloaded 30,000/320,367 (9%)
44931 [INFO] Downloaded 40,000/320,367 (12%)
59866 [INFO] Downloaded 50,000/320,367 (16%)
66546 [ERROR] Failed to process CVE-2011-4261
org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error connecting to the database
at org.owasp.dependencycheck.data.nvdcve.DatabaseManager.getConnection (DatabaseManager.java:578)
at org.owasp.dependencycheck.data.nvdcve.CveDB.updateOrInsertVulnerability (CveDB.java:1168)
at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability (CveDB.java:1093)
at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.updateCveDb (NvdApiProcessor.java:119)
at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call (NvdApiProcessor.java:96)
at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call (NvdApiProcessor.java:40)
at java.util.concurrent.FutureTask.run (FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:829)
Caused by: java.sql.SQLException: Data source is closed
at org.apache.commons.dbcp2.BasicDataSource.createDataSource (BasicDataSource.java:525)
at org.apache.commons.dbcp2.BasicDataSource.getConnection (BasicDataSource.java:723)
at org.owasp.dependencycheck.data.nvdcve.DatabaseManager.getConnection (DatabaseManager.java:576)
at org.owasp.dependencycheck.data.nvdcve.CveDB.updateOrInsertVulnerability (CveDB.java:1168)
at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability (CveDB.java:1093)
at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.updateCveDb (NvdApiProcessor.java:119)
at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call (NvdApiProcessor.java:96)
at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call (NvdApiProcessor.java:40)
at java.util.concurrent.FutureTask.run (FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:829)

[chadlwilson]

Assuming youre using the cli, specify the debug log location and have a look at the full debug log to see what is happening.

[KrishnenduDas1987]

Thanks for the suggestion. After turning on the debug flag, it turned out to be a simple OOM issue due to insufficient Heap space set in earlier stages of the pipeline via MAVEN_OPTS. Increasing to 1GB has solved this.

[chadlwilson]

Could you share the stack trace(s) that you have from this log showing which threads experienced OOM or other related exceptions/errors?

We can/should fix the error reporting so the root cause comes out the other end if possible.

[KrishnenduDas1987]

Relevant sections from the log while running the plugin with insufficient heap space (-Xmx512m)

[DEBUG] Requested At: 11:20:17; URI: /rest/json/cves/2.0?resultsPerPage=2000&startIndex=12000
[DEBUG] Ticket returned At: 11:20:18; count: 5; by 94
[DEBUG] Rate Limited API call - waiting for 2128ms
Exception in thread "httpclient-dispatch-1" java.lang.OutOfMemoryError: Java heap space
at org.apache.hc.core5.util.ByteArrayBuffer.toByteArray(ByteArrayBuffer.java:196)
at org.apache.hc.client5.http.async.methods.SimpleAsyncEntityConsumer.generateContent(SimpleAsyncEntityConsumer.java:72)
at org.apache.hc.client5.http.async.methods.SimpleAsyncEntityConsumer.generateContent(SimpleAsyncEntityConsumer.java:38)
at org.apache.hc.core5.http.nio.entity.AbstractBinAsyncEntityConsumer.completed(AbstractBinAsyncEntityConsumer.java:85)
at org.apache.hc.core5.http.nio.entity.AbstractBinDataConsumer.streamEnd(AbstractBinDataConsumer.java:83)
at org.apache.hc.core5.http.nio.support.AbstractAsyncResponseConsumer.streamEnd(AbstractAsyncResponseConsumer.java:142)
at org.apache.hc.client5.http.impl.async.HttpAsyncMainClientExec$1.streamEnd(HttpAsyncMainClientExec.java:283)
at org.apache.hc.core5.http2.impl.nio.ClientH2StreamHandler.consumeData(ClientH2StreamHandler.java:242)
at org.apache.hc.core5.http2.impl.nio.AbstractH2StreamMultiplexer$H2Stream.consumeData(AbstractH2StreamMultiplexer.java:1661)
at org.apache.hc.core5.http2.impl.nio.AbstractH2StreamMultiplexer.consumeDataFrame(AbstractH2StreamMultiplexer.java:1051)
at org.apache.hc.core5.http2.impl.nio.AbstractH2StreamMultiplexer.consumeFrame(AbstractH2StreamMultiplexer.java:740)
at org.apache.hc.core5.http2.impl.nio.AbstractH2StreamMultiplexer.onInput(AbstractH2StreamMultiplexer.java:448)
at org.apache.hc.core5.http2.impl.nio.AbstractH2IOEventHandler.inputReady(AbstractH2IOEventHandler.java:65)
at org.apache.hc.core5.http2.impl.nio.ClientH2IOEventHandler.inputReady(ClientH2IOEventHandler.java:39)
at org.apache.hc.core5.reactor.ssl.SSLIOSession.decryptData(SSLIOSession.java:618)
at org.apache.hc.core5.reactor.ssl.SSLIOSession.access$200(SSLIOSession.java:74)
at org.apache.hc.core5.reactor.ssl.SSLIOSession$1.inputReady(SSLIOSession.java:204)
at org.apache.hc.core5.reactor.InternalDataChannel.onIOEvent(InternalDataChannel.java:139)
at org.apache.hc.core5.reactor.InternalChannel.handleIOEvent(InternalChannel.java:51)
at org.apache.hc.core5.reactor.SingleCoreIOReactor.processEvents(SingleCoreIOReactor.java:176)
at org.apache.hc.core5.reactor.SingleCoreIOReactor.doExecute(SingleCoreIOReactor.java:125)
at org.apache.hc.core5.reactor.AbstractSingleCoreIOReactor.execute(AbstractSingleCoreIOReactor.java:92)
at org.apache.hc.core5.reactor.IOReactorWorker.run(IOReactorWorker.java:44)
at java.base/java.lang.Thread.run(Thread.java:829)
Exception in thread "httpclient-dispatch-1" java.lang.OutOfMemoryError: Java heap space
at org.apache.hc.core5.util.ByteArrayBuffer.expand(ByteArrayBuffer.java:58)
at org.apache.hc.core5.util.ByteArrayBuffer.append(ByteArrayBuffer.java:88)
at org.apache.hc.client5.http.async.methods.SimpleAsyncEntityConsumer.data(SimpleAsyncEntityConsumer.java:62)
at org.apache.hc.core5.http.nio.entity.AbstractBinDataConsumer.consume(AbstractBinDataConsumer.java:77)
at org.apache.hc.core5.http.nio.support.AbstractAsyncResponseConsumer.consume(AbstractAsyncResponseConsumer.java:134)
at org.apache.hc.client5.http.impl.async.HttpAsyncMainClientExec$1.consume(HttpAsyncMainClientExec.java:275)
at org.apache.hc.core5.http2.impl.nio.ClientH2StreamHandler.consumeData(ClientH2StreamHandler.java:238)
at org.apache.hc.core5.http2.impl.nio.AbstractH2StreamMultiplexer$H2Stream.consumeData(AbstractH2StreamMultiplexer.java:1661)
at org.apache.hc.core5.http2.impl.nio.AbstractH2StreamMultiplexer.consumeDataFrame(AbstractH2StreamMultiplexer.java:1051)
at org.apache.hc.core5.http2.impl.nio.AbstractH2StreamMultiplexer.consumeFrame(AbstractH2StreamMultiplexer.java:740)
at org.apache.hc.core5.http2.impl.nio.AbstractH2StreamMultiplexer.onInput(AbstractH2StreamMultiplexer.java:448)
at org.apache.hc.core5.http2.impl.nio.AbstractH2IOEventHandler.inputReady(AbstractH2IOEventHandler.java:65)
at org.apache.hc.core5.http2.impl.nio.ClientH2IOEventHandler.inputReady(ClientH2IOEventHandler.java:39)
at org.apache.hc.core5.reactor.ssl.SSLIOSession.decryptData(SSLIOSession.java:618)
at org.apache.hc.core5.reactor.ssl.SSLIOSession.access$200(SSLIOSession.java:74)
at org.apache.hc.core5.reactor.ssl.SSLIOSession$1.inputReady(SSLIOSession.java:204)
at org.apache.hc.core5.reactor.InternalDataChannel.onIOEvent(InternalDataChannel.java:139)
at org.apache.hc.core5.reactor.InternalChannel.handleIOEvent(InternalChannel.java:51)
at org.apache.hc.core5.reactor.SingleCoreIOReactor.processEvents(SingleCoreIOReactor.java:176)
at org.apache.hc.core5.reactor.SingleCoreIOReactor.doExecute(SingleCoreIOReactor.java:125)
at org.apache.hc.core5.reactor.AbstractSingleCoreIOReactor.execute(AbstractSingleCoreIOReactor.java:92)
at org.apache.hc.core5.reactor.IOReactorWorker.run(IOReactorWorker.java:44)
at java.base/java.lang.Thread.run(Thread.java:829)
[DEBUG] Ticket returned At: 11:20:19; count: 6; by 97
[DEBUG] Ticket returned At: 11:20:19; count: 7; by 99
[DEBUG] Ticket returned At: 11:20:19; count: 8; by 98
[DEBUG] Lock released (main) 15f24775d8fc94a68548bdb0758050bb @ 2025-12-06 11:20:20.684
[DEBUG] Closing database
[DEBUG] Cache cleared
[DEBUG] Connection closed
[DEBUG] Resources released
[DEBUG] Begin deregister driver
[DEBUG] End deregister driver
[INFO] Element event queue destroyed: org.apache.commons.jcs3.engine.control.event.ElementEventQueue@40dd552c
[ERROR] Failed to process CVE-2000-0177
org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error connecting to the database
at org.owasp.dependencycheck.data.nvdcve.DatabaseManager.getConnection (DatabaseManager.java:578)
at org.owasp.dependencycheck.data.nvdcve.CveDB.updateOrInsertVulnerability (CveDB.java:1168)
at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability (CveDB.java:1093)
at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.updateCveDb (NvdApiProcessor.java:119)
at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call (NvdApiProcessor.java:96)
at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call (NvdApiProcessor.java:40)
at java.util.concurrent.FutureTask.run (FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:829)
Caused by: java.sql.SQLException: Data source is closed
at org.apache.commons.dbcp2.BasicDataSource.createDataSource (BasicDataSource.java:525)
at org.apache.commons.dbcp2.BasicDataSource.getConnection (BasicDataSource.java:723)
at org.owasp.dependencycheck.data.nvdcve.DatabaseManager.getConnection (DatabaseManager.java:576)
at org.owasp.dependencycheck.data.nvdcve.CveDB.updateOrInsertVulnerability (CveDB.java:1168)
at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability (CveDB.java:1093)
at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.updateCveDb (NvdApiProcessor.java:119)
at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call (NvdApiProcessor.java:96)
at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call (NvdApiProcessor.java:40)
at java.util.concurrent.FutureTask.run (FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:829)