From a1b9035450aad113b34b5eddba5031eef09ffd23 Mon Sep 17 00:00:00 2001 From: Abdul wahab Shah Date: Tue, 23 Jun 2026 09:00:08 +0200 Subject: [PATCH 1/2] Fix NPE and redundant queries in VEX/VDR export The convert() method dereferenced the Component and Vulnerability resolved by UUID without null checks. When a finding referenced a component or vulnerability that was deleted between query and export, this threw a NullPointerException and aborted the entire VEX/VDR export. Null entries are now skipped via a guard in convert() and a filter in generateVulnerabilities(). The analysis lookup also re-fetched the Component and Vulnerability by UUID even though both were already resolved earlier in the method, issuing two unnecessary database queries per finding. It now reuses the already-resolved objects. Signed-off-by: Abdul wahab Shah --- .../parser/cyclonedx/util/ModelConverter.java | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/main/java/org/dependencytrack/parser/cyclonedx/util/ModelConverter.java b/src/main/java/org/dependencytrack/parser/cyclonedx/util/ModelConverter.java index 4aea298959..3f62c83cc8 100644 --- a/src/main/java/org/dependencytrack/parser/cyclonedx/util/ModelConverter.java +++ b/src/main/java/org/dependencytrack/parser/cyclonedx/util/ModelConverter.java @@ -837,8 +837,14 @@ public static Service convert(final QueryManager qm, final ServiceComponent serv public static org.cyclonedx.model.vulnerability.Vulnerability convert(final QueryManager qm, final CycloneDXExporter.Variant variant, final Finding finding) { final Component component = qm.getObjectByUuid(Component.class, (String)finding.getComponent().get("uuid")); + if (component == null) { + return null; + } final Project project = component.getProject(); final Vulnerability vulnerability = qm.getObjectByUuid(Vulnerability.class, (String)finding.getVulnerability().get("uuid")); + if (vulnerability == null) { + return null; + } final org.cyclonedx.model.vulnerability.Vulnerability cdxVulnerability = new org.cyclonedx.model.vulnerability.Vulnerability(); cdxVulnerability.setBomRef(vulnerability.getUuid().toString()); @@ -928,10 +934,7 @@ public static org.cyclonedx.model.vulnerability.Vulnerability convert(final Quer } if (CycloneDXExporter.Variant.VEX == variant || CycloneDXExporter.Variant.VDR == variant) { - final Analysis analysis = qm.getAnalysis( - qm.getObjectByUuid(Component.class, component.getUuid()), - qm.getObjectByUuid(Vulnerability.class, vulnerability.getUuid()) - ); + final Analysis analysis = qm.getAnalysis(component, vulnerability); if (analysis != null) { final org.cyclonedx.model.vulnerability.Vulnerability.Analysis cdxAnalysis = new org.cyclonedx.model.vulnerability.Vulnerability.Analysis(); if (analysis.getAnalysisResponse() != null) { @@ -964,6 +967,7 @@ public static List generateVuln final var vulnerabilitiesSeen = new HashSet(); return findings.stream() .map(finding -> convert(qm, variant, finding)) + .filter(Objects::nonNull) .filter(vulnerabilitiesSeen::add) .toList(); } From 3de9e871cf6fe5838e337702be0770c6d3070be2 Mon Sep 17 00:00:00 2001 From: Abdul wahab Shah Date: Tue, 7 Jul 2026 14:50:14 +0200 Subject: [PATCH 2/2] Add regression test for VEX/VDR export NPE Verifies that generateVulnerabilities skips findings whose component was deleted between the findings query and export, instead of throwing a NullPointerException, and that valid findings still convert as before. Signed-off-by: Abdul wahab Shah --- .../parser/cyclonedx/ModelConverterTest.java | 96 +++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 src/test/java/org/dependencytrack/parser/cyclonedx/ModelConverterTest.java diff --git a/src/test/java/org/dependencytrack/parser/cyclonedx/ModelConverterTest.java b/src/test/java/org/dependencytrack/parser/cyclonedx/ModelConverterTest.java new file mode 100644 index 0000000000..69ea88049d --- /dev/null +++ b/src/test/java/org/dependencytrack/parser/cyclonedx/ModelConverterTest.java @@ -0,0 +1,96 @@ +/* + * This file is part of Dependency-Track. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * Copyright (c) OWASP Foundation. All Rights Reserved. + */ +package org.dependencytrack.parser.cyclonedx; + +import org.dependencytrack.PersistenceCapableTest; +import org.dependencytrack.model.Component; +import org.dependencytrack.model.Finding; +import org.dependencytrack.model.Project; +import org.dependencytrack.model.Severity; +import org.dependencytrack.model.Vulnerability; +import org.dependencytrack.parser.cyclonedx.util.ModelConverter; +import org.dependencytrack.tasks.scanners.AnalyzerIdentity; +import org.junit.jupiter.api.Test; + +import java.util.List; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatNoException; + +class ModelConverterTest extends PersistenceCapableTest { + + @Test + void generateVulnerabilitiesSkipsFindingWhoseComponentWasDeleted() { + final Project project = qm.createProject("acme-app", null, "1.0.0", null, null, null, true, false); + + Vulnerability vulnerability = new Vulnerability(); + vulnerability.setVulnId("INT-001"); + vulnerability.setSource(Vulnerability.Source.INTERNAL); + vulnerability.setSeverity(Severity.HIGH); + vulnerability = qm.createVulnerability(vulnerability, false); + + Component component = new Component(); + component.setProject(project); + component.setName("acme-lib"); + component.setVersion("1.0.0"); + component = qm.createComponent(component, false); + qm.addVulnerability(vulnerability, component, AnalyzerIdentity.INTERNAL_ANALYZER); + + // Resolve the findings up front, mirroring what the exporter does before conversion. + final List findings = qm.getFindings(project, true); + assertThat(findings).hasSize(1); + + // Simulate the component being deleted in the window between the findings query + // and the export (e.g. a concurrent re-analysis or manual deletion). + qm.recursivelyDelete(component, false); + + // Before the fix this threw a NullPointerException and aborted the whole export. + assertThatNoException().isThrownBy(() -> + ModelConverter.generateVulnerabilities(qm, CycloneDXExporter.Variant.VEX, findings)); + + final List result = + ModelConverter.generateVulnerabilities(qm, CycloneDXExporter.Variant.VEX, findings); + assertThat(result).isEmpty(); + } + + @Test + void generateVulnerabilitiesConvertsFindingWithResolvableComponent() { + final Project project = qm.createProject("acme-app", null, "1.0.0", null, null, null, true, false); + + Vulnerability vulnerability = new Vulnerability(); + vulnerability.setVulnId("INT-001"); + vulnerability.setSource(Vulnerability.Source.INTERNAL); + vulnerability.setSeverity(Severity.HIGH); + vulnerability = qm.createVulnerability(vulnerability, false); + + Component component = new Component(); + component.setProject(project); + component.setName("acme-lib"); + component.setVersion("1.0.0"); + component = qm.createComponent(component, false); + qm.addVulnerability(vulnerability, component, AnalyzerIdentity.INTERNAL_ANALYZER); + + final List findings = qm.getFindings(project, true); + + final List result = + ModelConverter.generateVulnerabilities(qm, CycloneDXExporter.Variant.VEX, findings); + assertThat(result).hasSize(1); + assertThat(result.get(0).getId()).isEqualTo("INT-001"); + } +}