search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.06k stars 1.22k forks source link

Failed to process CVE-2023-3079 / NullPointerException #6742

Open THausherr opened 5 days ago

THausherr commented 5 days ago

Describe the bug NPE in output, but non fatal, so consider this minor / low priority

Version of dependency-check used 9.2.0 maven

Log file https://gist.github.com/THausherr/0db6b5f65c73fb7c58d73b23a5f0c228

To Reproduce Steps to reproduce the behavior: Run maven, see log

Expected behavior No NPE

volkert-fastned commented 5 days ago

I just ran into this too in the Gradle plugin:

Verifying dependencies for project ocpp-ws
Checking for updates and analyzing dependencies for vulnerabilities

Failed to process CVE-2023-3079
java.lang.NullPointerException
        at java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273)
        at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
        at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1708)
        at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
        at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
        at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921)
        at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
        at org.owasp.dependencycheck.data.nvd.ecosystem.CveEcosystemMapper.hasMultipleVendorProductConfigurations(CveEcosystemMapper.java:92)
        at org.owasp.dependencycheck.data.nvd.ecosystem.CveEcosystemMapper.getEcosystem(CveEcosystemMapper.java:66)
        at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.updateCveDb(NvdApiProcessor.java:119)
        at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call(NvdApiProcessor.java:102)
        at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call(NvdApiProcessor.java:40)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
        at java.base/java.lang.Thread.run(Thread.java:1583)

Updating to the latest version of the plugin (9.2.0) did not make the exception go away. However, the dependencyCheckAnalyze task still passed, despite this exception.

volkert-fastned commented 5 days ago

Apparently, CVE-2023-3079 is a vulnerability in the V8 JavaScript engine of Google Chrome and Chromium, so it probably does not apply to any Java or Kotlin dependencies.

OrangeDog commented 5 days ago

Just looking at https://nvd.nist.gov/vuln/detail/CVE-2023-3079 it appears there are two "null" configurations, which may be the cause.