Open THausherr opened 5 days ago
I just ran into this too in the Gradle plugin:
Verifying dependencies for project ocpp-ws
Checking for updates and analyzing dependencies for vulnerabilities
Failed to process CVE-2023-3079
java.lang.NullPointerException
at java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273)
at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1708)
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921)
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
at org.owasp.dependencycheck.data.nvd.ecosystem.CveEcosystemMapper.hasMultipleVendorProductConfigurations(CveEcosystemMapper.java:92)
at org.owasp.dependencycheck.data.nvd.ecosystem.CveEcosystemMapper.getEcosystem(CveEcosystemMapper.java:66)
at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.updateCveDb(NvdApiProcessor.java:119)
at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call(NvdApiProcessor.java:102)
at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call(NvdApiProcessor.java:40)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
at java.base/java.lang.Thread.run(Thread.java:1583)
Updating to the latest version of the plugin (9.2.0
) did not make the exception go away. However, the dependencyCheckAnalyze
task still passed, despite this exception.
Apparently, CVE-2023-3079
is a vulnerability in the V8 JavaScript engine of Google Chrome and Chromium, so it probably does not apply to any Java or Kotlin dependencies.
Just looking at https://nvd.nist.gov/vuln/detail/CVE-2023-3079 it appears there are two "null" configurations, which may be the cause.
Describe the bug NPE in output, but non fatal, so consider this minor / low priority
Version of dependency-check used 9.2.0 maven
Log file https://gist.github.com/THausherr/0db6b5f65c73fb7c58d73b23a5f0c228
To Reproduce Steps to reproduce the behavior: Run maven, see log
Expected behavior No NPE