Current Behavior
When a project's BOM contains a component property with an empty string value (which is valid per the CycloneDX schema, and is what Syft emits for syft:package:metadataType on some packages), the vulnerability analysis workflow for that project fails terminally and the project never receives any analysis results (no metrics, no vulnerabilities, risk score stays empty).
The prepare-vuln-analysis activity throws a NullPointerException and gives up after 6 attempts:
WARN [ActivityTaskWorker] Activity failed terminally after 6 attempt(s) [activityName=prepare-vuln-analysis, workflowRunId=..., activityTaskAttempt=6]
java.lang.NullPointerException
at org.cyclonedx.proto.v1_7.Property$Builder.setValue(Property.java:654)
at org.dependencytrack.vulnanalysis.PrepareVulnAnalysisActivity.lambda$assembleBom$1(PrepareVulnAnalysisActivity.java:167)
at org.jdbi.v3.core.result.ResultBearing.lambda$reduceRows$1(ResultBearing.java:276)
at org.jdbi.v3.core.result.ResultBearing$1.scanResultSet(ResultBearing.java:59)
at org.jdbi.v3.core.statement.Query.scanResultSet(Query.java:61)
at org.jdbi.v3.core.result.ResultBearing.reduceRows(ResultBearing.java:269)
at org.dependencytrack.vulnanalysis.PrepareVulnAnalysisActivity.lambda$assembleBom$0(PrepareVulnAnalysisActivity.java:154)
at org.dependencytrack.persistence.jdbi.JdbiFactory.lambda$withJdbiHandle$0(JdbiFactory.java:80)
...
at org.dependencytrack.vulnanalysis.PrepareVulnAnalysisActivity.assembleBom(PrepareVulnAnalysisActivity.java:142)
at org.dependencytrack.vulnanalysis.PrepareVulnAnalysisActivity.execute(PrepareVulnAnalysisActivity.java:95)
Steps to Reproduce
- Run Dependency-Track v5.0.2 with the Trivy analyzer enabled (any other analyzer configuration is irrelevant; the bug only triggers via the
COMPONENT_PROPERTIES requirement).
- Upload the following minimal BOM to a new project:
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"version": 1,
"components": [
{
"type": "library",
"name": "some-lib",
"version": "1.0.0",
"purl": "pkg:generic/some-lib@1.0.0",
"properties": [
{ "name": "syft:package:metadataType", "value": "" }
]
}
]
}
- Observe the API server logs: the
prepare-vuln-analysis activity fails with the NPE above after 6 attempts; the project never gets analysis results.
Real-world occurrence: SBOMs generated by Syft (e.g. via ckotzbauer/sbom-operator) for images such as docker.io/bitnami/postgresql:latest contain syft:package:metadataType properties with an empty string value for several packages (gdal, geos, postgis, pgvector, …). An empty property value is valid per the CycloneDX JSON schema.
Expected Behavior
Vulnerability analysis completes normally. A component property without a value (or with an empty value) should either be skipped or passed through without a value when assembling the BOM for analysis — it must not permanently fail the workflow for the entire project.
Dependency-Track Version
5.x
Browser
serverside
Checklist
Current Behavior
When a project's BOM contains a component property with an empty string value (which is valid per the CycloneDX schema, and is what Syft emits for
syft:package:metadataTypeon some packages), the vulnerability analysis workflow for that project fails terminally and the project never receives any analysis results (no metrics, no vulnerabilities, risk score stays empty).The
prepare-vuln-analysisactivity throws aNullPointerExceptionand gives up after 6 attempts:Steps to Reproduce
COMPONENT_PROPERTIESrequirement).{ "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "type": "library", "name": "some-lib", "version": "1.0.0", "purl": "pkg:generic/some-lib@1.0.0", "properties": [ { "name": "syft:package:metadataType", "value": "" } ] } ] }prepare-vuln-analysisactivity fails with the NPE above after 6 attempts; the project never gets analysis results.Real-world occurrence: SBOMs generated by Syft (e.g. via ckotzbauer/sbom-operator) for images such as
docker.io/bitnami/postgresql:latestcontainsyft:package:metadataTypeproperties with an empty string value for several packages (gdal, geos, postgis, pgvector, …). An empty property value is valid per the CycloneDX JSON schema.Expected Behavior
Vulnerability analysis completes normally. A component property without a value (or with an empty value) should either be skipped or passed through without a value when assembling the BOM for analysis — it must not permanently fail the workflow for the entire project.
Dependency-Track Version
5.x
Browser
serverside
Checklist