You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In a comment on an OWASP DependencyCheck issue jeremylong/DependencyCheck#3707 (comment) a NullPointerException surfaced when DependencyCheck was dereferencing the externalReferences of a ComponentReportVulnerability from a retrieved report for pkg:maven/com.thoughtworks.xstream/xstream@1.4.17.
As other methods in the API are clearly marked as @Nullable this to me is an unexpected NullPointerException. If the API can (temporarily) return vulnerabilities with no external references the method should either be annotated with @Nullable or the getter should null-check and return an empty list for the null-case
When (re)testing for the same library I could not reproduce. My assumption is that by the time I tried the affected vulnerability had been enriched by its external references.
If the API is not expected to respond with null-valued externalReferences for any vulnerability there appears to be a transactional hole in between registering a vulnerability and its externalReferences that would allow the API to return invalid responses.
Hi @aikebah - thanks for the bug report! I wasn't able to reproduce the issue locally, even by forcing the system to return zero external references. The API endpoint should always return that field, and do so with an empty list if necessary. There are internal tests that verify this case.
I agree though that it's better to add a null check in the getter, which also follows the existing pattern set in other methods not marked with @Nullable. The change that fixes this issue was just released as part of 1.8.1: https://github.com/sonatype/ossindex-public/releases/tag/release-1.8.1
In a comment on an OWASP DependencyCheck issue jeremylong/DependencyCheck#3707 (comment) a NullPointerException surfaced when DependencyCheck was dereferencing the externalReferences of a ComponentReportVulnerability from a retrieved report for
pkg:maven/com.thoughtworks.xstream/xstream@1.4.17
.As other methods in the API are clearly marked as
@Nullable
this to me is an unexpected NullPointerException. If the API can (temporarily) return vulnerabilities with no external references the method should either be annotated with@Nullable
or the getter should null-check and return an empty list for thenull
-caseWhen (re)testing for the same library I could not reproduce. My assumption is that by the time I tried the affected vulnerability had been enriched by its external references.
If the API is not expected to respond with null-valued externalReferences for any vulnerability there appears to be a transactional hole in between registering a vulnerability and its externalReferences that would allow the API to return invalid responses.
ossindex-public/api/src/main/java/org/sonatype/ossindex/service/api/componentreport/ComponentReportVulnerability.java
Lines 211 to 216 in 27d7bac
The text was updated successfully, but these errors were encountered: