When using the aqua security scanner in a pipeline script, if the 'notCompliesCmd' variable is not provided the plugin will throw a NullPointerException after running the scan. Adding the variable with an empty string value caused the Exception to go away.

The exception is thrown after the scan has completed and the report and css file added to the build result but before the exit code of the docker scanner is reported.

I was unable to get a stacktrace for the Exception.

Speculation:

Reading through the plugin code I have come up with the following speculation on the cause.

As notCompliesCmd is a string, if it is not provided then it will be null. It is not checked for null before it is used on this line in ScannerExecutor.java which would cause a NullPointerException to be thrown if it is null at this point.

At this point in the code, the report and css files have been transferred to the build.

This also explains why the exception goes away if the variable is provided with an empty value.