Skip to content

Fix NPE and redundant queries in VEX/VDR export#6614

Open
heyiamwahab236 wants to merge 2 commits into
DependencyTrack:4.14.xfrom
tecan:fix/vex-export-npe-414x
Open

Fix NPE and redundant queries in VEX/VDR export#6614
heyiamwahab236 wants to merge 2 commits into
DependencyTrack:4.14.xfrom
tecan:fix/vex-export-npe-414x

Conversation

@heyiamwahab236

Copy link
Copy Markdown

Description

Fixes a NullPointerException that aborts the entire VEX/VDR CycloneDX export when a
finding references a component or vulnerability that was deleted between the findings
query and the export. ModelConverter.convert() resolved the Component and
Vulnerability by UUID but dereferenced them without null checks, so a concurrent
deletion (e.g. re-analysis or manual removal) caused component.getProject() to throw
and the whole export to fail with a 500. Such findings are now skipped via a guard in
convert() and a filter in generateVulnerabilities(), so the export completes with
the remaining vulnerabilities.

Also removes two redundant database queries per finding: for the VEX/VDR variant the
analysis lookup re-fetched the Component and Vulnerability by UUID even though both
were already resolved earlier in the same method. It now reuses the resolved objects.

Addressed Issue

fixes #6613

Additional Details

A regression test (ModelConverterTest) was added covering both a finding whose
component was deleted (previously reproduced the NPE, now returns an empty result) and
a normal finding that still converts correctly. The test was verified to fail against
the unpatched code and pass with the fix.

Checklist

  • I have read and understand the contributing guidelines
  • This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • This PR introduces changes to the database model, and I have updated the migration changelog accordingly
  • This PR introduces new or alters existing behavior, and I have updated the documentation accordingly
  • This PR is a substantial change (per the ADR criteria), and I have added an ADR under docs/adr/

The convert() method dereferenced the Component and Vulnerability
resolved by UUID without null checks. When a finding referenced a
component or vulnerability that was deleted between query and export,
this threw a NullPointerException and aborted the entire VEX/VDR
export. Null entries are now skipped via a guard in convert() and a
filter in generateVulnerabilities().

The analysis lookup also re-fetched the Component and Vulnerability by
UUID even though both were already resolved earlier in the method,
issuing two unnecessary database queries per finding. It now reuses
the already-resolved objects.

Signed-off-by: Abdul wahab Shah <abdulwahab.shah236@gmail.com>
Verifies that generateVulnerabilities skips findings whose component was
deleted between the findings query and export, instead of throwing a
NullPointerException, and that valid findings still convert as before.

Signed-off-by: Abdul wahab Shah <abdulwahab.shah236@gmail.com>
@owasp-dt-bot

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@heyiamwahab236

Copy link
Copy Markdown
Author

@nscuro Can you please have a look at it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants