search

spdx / cdx2spdx

Utility that converts SBOM documents from CycloneDX to SPDX
Apache License 2.0
29 stars 9 forks source link

fix NullPointerException from empty Tools #8

Closed bhamail closed 2 years ago

bhamail commented 2 years ago

Using the test file below, I was getting a NPE due to a null from metadata.getTools().

This PR attempts to guard against that case. (Pre-apologies for tab/space madness. Trying to go to space where possible.)

Could you point me to a good way to add a unit test for this case?

Here's the test file I used, but I'd like to add a test for this condition.

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "version": 1,
  "metadata": {
    "timestamp": "2022-02-21T17:20:41Z",
    "component": {
      "name": "Acme Application",
      "version": "9.1.1",
      "type": "application",
      "bom-ref": "acme-app"
    }
  },
  "components": [
    {
      "name": "acme-library",
      "version": "1.0.0",
      "hashes": [
        {
          "alg": "SHA-1",
          "content": "9188560f22e0b73070d2efce670c74af2bdf30af"
        },
        {
          "alg": "SHA-256",
          "content": "d88bc4e70bfb34d18b5542136639acbb26a8ae2429aa1e47489332fb389cc964"
        }
      ],
      "cpe": "cpe:/a:acme:application:9.1.1",
      "type": "library"
    },
    {
      "group": "com.fasterxml.jackson.core",
      "name": "jackson-databind",
      "version": "2.8.0",
      "licenses": [
        {
          "license": {
            "id": "Apache-2.0"
          }
        }
      ],
      "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0?type=jar",
      "type": "library"
    }
  ],
  "dependencies": [
    {
      "ref": "acme-app",
      "dependsOn": [
        "pkg:maven/org.acme/web-framework@1.0.0?type=jar",
        "pkg:maven/org.acme/persistence@3.1.0?type=jar"
      ]
    },
    {
      "ref": "pkg:maven/org.acme/web-framework@1.0.0?type=jar",
      "dependsOn": [
        "pkg:maven/org.acme/common-util@3.0.0?type=jar"
      ]
    },
    {
      "ref": "pkg:maven/org.acme/persistence@3.1.0?type=jar",
      "dependsOn": [
        "pkg:maven/org.acme/common-util@3.0.0?type=jar"
      ]
    },
    {
      "ref": "pkg:maven/org.acme/common-util@3.0.0?type=jar",
      "dependsOn": []
    }
  ],
  "vulnerabilities": [
    {
      "id": "CVE-2018-7489",
      "source": {
        "name": "NVD",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9997"
      },
      "ratings": [
        {
          "source": {
            "name": "NVD",
            "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.0"
          },
          "score": 9.8,
          "severity": "critical",
          "method": "CVSSv3",
          "vector": "AN/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
        }
      ],
      "cwes": [
        184,
        502
      ],
      "description": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.",
      "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.",
      "advisories": [
        {
          "title": "GitHub Commit",
          "url": "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2"
        }
      ],
      "created": "2021-01-01T00:00:00Z",
      "published": "2021-01-01T00:00:00Z",
      "updated": "2021-01-01T00:00:00Z",
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": [
          "will_not_fix",
          "update"
        ],
        "detail": "An optional explanation of why the application is not affected by the vulnerable component."
      },
      "affects": [
        {
          "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0?type=jar"
        }
      ]
    }
  ]
}
goneall commented 2 years ago

Thanks @bhamail for catching this and the PR!

Could you point me to a good way to add a unit test for this case?

You can just add a test case to CycloneToSpdxTest.java.

You can create a local subdirectory under src/test/resources cdxboms and put the test file there.

goneall commented 2 years ago

BTW - It's interesting the findbugs didn't find this issue. I'll need run sonar against this code to see if there are similar issues.

bhamail commented 2 years ago

BTW - It's interesting the findbugs didn't find this issue. I'll need run sonar against this code to see if there are similar issues.

\You might consider running Sonatype Lift on this repo. ;) Happy to help set it up if needed.</shameless plug>

goneall commented 2 years ago

@bhamail I'll definitely give Sonatype Lift a try. I do use Sonatype for my Maven repo work, just haven't tried Lift.