Skip to content

Commit

Permalink
Merge pull request DependencyTrack#3194 from nscuro/issue-3185
Browse files Browse the repository at this point in the history 
Fix NPE when `affected` node in OSV does not define a `package`
  • Loading branch information
@nscuro
nscuro authored Nov 14, 2023
2 parents bd9bfec + 651e26a commit c84abd7
Show file tree
Hide file tree
Showing 3 changed files with 431 additions and 1 deletion.
14 changes: 13 additions & 1 deletion src/main/java/org/dependencytrack/parser/osv/OsvAdvisoryParser.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -139,13 +139,19 @@ public List<OsvAffectedPackage> parseAffectedPackageRange(final JSONObject affec
if (osvAffectedPackageList.size() == 0 && versions != null && versions.length() > 0) {
for (int j=0; j<versions.length(); j++) {
OsvAffectedPackage vuln = createAffectedPackage(affected);
if (vuln == null) {
continue;
}
vuln.setVersion(versions.getString(j));
osvAffectedPackageList.add(vuln);
}
}
// if no parsable range or version is available, add vulnerability without version
else if (osvAffectedPackageList.size() == 0) {
osvAffectedPackageList.add(createAffectedPackage(affected));
final OsvAffectedPackage affectedPackage = createAffectedPackage(affected);
if (affectedPackage != null) {
osvAffectedPackageList.add(affectedPackage);
}
}
return osvAffectedPackageList;
}
Expand Down Expand Up @@ -185,6 +191,9 @@ private List<OsvAffectedPackage> parseVersionRanges(JSONObject vulnerability, JS
}

final OsvAffectedPackage affectedPackage = createAffectedPackage(vulnerability);
if (affectedPackage == null) {
continue;
}
affectedPackage.setLowerVersionRange(introduced);

if (i + 1 < rangeEvents.length()) {
Expand Down Expand Up @@ -230,6 +239,9 @@ private OsvAffectedPackage createAffectedPackage(JSONObject vulnerability) {

OsvAffectedPackage osvAffectedPackage = new OsvAffectedPackage();
final JSONObject affectedPackageJson = vulnerability.optJSONObject("package");
if (affectedPackageJson == null) {
return null;
}
final JSONObject ecosystemSpecific = vulnerability.optJSONObject("ecosystem_specific");
final JSONObject databaseSpecific = vulnerability.optJSONObject("database_specific");
Severity ecosystemSeverity = parseEcosystemSeverity(ecosystemSpecific, databaseSpecific);
Expand Down
10 changes: 10 additions & 0 deletions src/test/java/org/dependencytrack/parser/osv/OsvAdvisoryParserTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,4 +147,14 @@ public void testCommitHashRanges() throws IOException {
Assert.assertEquals(22, advisory.getAffectedPackages().size());
Assert.assertEquals("4.4.0", advisory.getAffectedPackages().get(0).getVersion());
}

@Test // https://github.com/DependencyTrack/dependency-track/issues/3185
public void testIssue3185() throws Exception {
String jsonFile = "src/test/resources/unit/osv.jsons/osv-CVE-2016-10012.json";
String jsonString = new String(Files.readAllBytes(Paths.get(jsonFile)));
JSONObject jsonObject = new JSONObject(jsonString);
OsvAdvisory advisory = parser.parse(jsonObject);
Assert.assertNotNull(advisory);
}

}
Loading

0 comments on commit c84abd7

Please sign in to comment.