Skip to content

Vulnerability analysis fails permanently with NPE in PrepareVulnAnalysisActivity when a component property was uploaded with an empty value #6572

Description

@flobrunner

Current Behavior

When a project's BOM contains a component property with an empty string value (which is valid per the CycloneDX schema, and is what Syft emits for syft:package:metadataType on some packages), the vulnerability analysis workflow for that project fails terminally and the project never receives any analysis results (no metrics, no vulnerabilities, risk score stays empty).

The prepare-vuln-analysis activity throws a NullPointerException and gives up after 6 attempts:

WARN [ActivityTaskWorker] Activity failed terminally after 6 attempt(s) [activityName=prepare-vuln-analysis, workflowRunId=..., activityTaskAttempt=6]
java.lang.NullPointerException
    at org.cyclonedx.proto.v1_7.Property$Builder.setValue(Property.java:654)
    at org.dependencytrack.vulnanalysis.PrepareVulnAnalysisActivity.lambda$assembleBom$1(PrepareVulnAnalysisActivity.java:167)
    at org.jdbi.v3.core.result.ResultBearing.lambda$reduceRows$1(ResultBearing.java:276)
    at org.jdbi.v3.core.result.ResultBearing$1.scanResultSet(ResultBearing.java:59)
    at org.jdbi.v3.core.statement.Query.scanResultSet(Query.java:61)
    at org.jdbi.v3.core.result.ResultBearing.reduceRows(ResultBearing.java:269)
    at org.dependencytrack.vulnanalysis.PrepareVulnAnalysisActivity.lambda$assembleBom$0(PrepareVulnAnalysisActivity.java:154)
    at org.dependencytrack.persistence.jdbi.JdbiFactory.lambda$withJdbiHandle$0(JdbiFactory.java:80)
    ...
    at org.dependencytrack.vulnanalysis.PrepareVulnAnalysisActivity.assembleBom(PrepareVulnAnalysisActivity.java:142)
    at org.dependencytrack.vulnanalysis.PrepareVulnAnalysisActivity.execute(PrepareVulnAnalysisActivity.java:95)

Steps to Reproduce

  1. Run Dependency-Track v5.0.2 with the Trivy analyzer enabled (any other analyzer configuration is irrelevant; the bug only triggers via the COMPONENT_PROPERTIES requirement).
  2. Upload the following minimal BOM to a new project:
    {
      "bomFormat": "CycloneDX",
      "specVersion": "1.5",
      "version": 1,
      "components": [
        {
          "type": "library",
          "name": "some-lib",
          "version": "1.0.0",
          "purl": "pkg:generic/some-lib@1.0.0",
          "properties": [
            { "name": "syft:package:metadataType", "value": "" }
          ]
        }
      ]
    }
  3. Observe the API server logs: the prepare-vuln-analysis activity fails with the NPE above after 6 attempts; the project never gets analysis results.

Real-world occurrence: SBOMs generated by Syft (e.g. via ckotzbauer/sbom-operator) for images such as docker.io/bitnami/postgresql:latest contain syft:package:metadataType properties with an empty string value for several packages (gdal, geos, postgis, pgvector, …). An empty property value is valid per the CycloneDX JSON schema.

Expected Behavior

Vulnerability analysis completes normally. A component property without a value (or with an empty value) should either be skipped or passed through without a value when assembling the BOM for analysis — it must not permanently fail the workflow for the entire project.

Dependency-Track Version

5.x

Browser

serverside

Checklist

Metadata

Metadata

Assignees

No one assigned

    Labels

    defectSomething isn't workingp2Non-critical bugs, and features that help organizations to identify and reduce risksize/SSmall effort

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions