Merge branch 'main' of github.com:jeremylong/DependencyCheck into main

jeremylong · Apr 28, 2021 · 6cd6bb2 · 6cd6bb2
2 parents 2f08b85 + 2e85744
commit 6cd6bb2
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 4 deletions.
diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nvd/ecosystem/UrlEcosystemMapper.java b/core/src/main/java/org/owasp/dependencycheck/data/nvd/ecosystem/UrlEcosystemMapper.java
@@ -17,12 +17,16 @@
  */
 package org.owasp.dependencycheck.data.nvd.ecosystem;
 
+import java.util.Objects;
+import java.util.Optional;
 import java.util.TreeMap;
 
 import javax.annotation.concurrent.NotThreadSafe;
 
+import org.owasp.dependencycheck.data.nvd.json.CVEJSON40Min11;
 import org.owasp.dependencycheck.data.nvd.json.DefCveItem;
 import org.owasp.dependencycheck.data.nvd.json.Reference;
+import org.owasp.dependencycheck.data.nvd.json.References;
 
 import com.hankcs.algorithm.AhoCorasickDoubleArrayTrie;
 import com.hankcs.algorithm.AhoCorasickDoubleArrayTrie.Hit;
@@ -65,8 +69,13 @@ public UrlEcosystemMapper() {
      * @return the ecosystem
      */
     public String getEcosystem(DefCveItem cve) {
-        if (cve.getCve().getReferences() != null) {
-            for (Reference r : cve.getCve().getReferences().getReferenceData()) {
+        References references = Optional.ofNullable(cve)
+                .map(DefCveItem::getCve)
+                .map(CVEJSON40Min11::getReferences)
+                .orElse(null);
+
+        if (Objects.nonNull(references)) {
+            for (Reference r : references.getReferenceData()) {
 
                 final Hit<String> ecosystem = search.findFirst(r.getUrl());
                 if (ecosystem != null) {

diff --git a/core/src/test/java/org/owasp/dependencycheck/data/nvd/ecosystem/UrlEcosystemMapperTest.java b/core/src/test/java/org/owasp/dependencycheck/data/nvd/ecosystem/UrlEcosystemMapperTest.java
@@ -1,6 +1,7 @@
 package org.owasp.dependencycheck.data.nvd.ecosystem;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
 
 import org.junit.Test;
 import org.owasp.dependencycheck.analyzer.PythonPackageAnalyzer;
@@ -36,4 +37,47 @@ private DefCveItem asCve(String url) {
 
         return defCveItem;
     }
+
+    @Test
+    public void testGetEcosystemMustHandleNullCveReferences() {
+        // Given
+        UrlEcosystemMapper mapper = new UrlEcosystemMapper();
+
+        CVEJSON40Min11 cve = new CVEJSON40Min11();
+
+        DefCveItem cveItem = new DefCveItem();
+        cveItem.setCve(cve);
+
+        // When
+        String output = mapper.getEcosystem(cveItem);
+
+        // Then
+        assertNull(output);
+    }
+
+    @Test
+    public void testGetEcosystemMustHandleNullCve() {
+        // Given
+        UrlEcosystemMapper mapper = new UrlEcosystemMapper();
+
+        DefCveItem cveItem = new DefCveItem();
+
+        // When
+        String output = mapper.getEcosystem(cveItem);
+
+        // Then
+        assertNull(output);
+    }
+
+    @Test
+    public void testGetEcosystemMustHandleNullCveItem() {
+        // Given
+        UrlEcosystemMapper mapper = new UrlEcosystemMapper();
+
+        // When
+        String output = mapper.getEcosystem(null);
+
+        // Then
+        assertNull(output);
+    }
 }
diff --git a/maven/pom.xml b/maven/pom.xml
@@ -28,7 +28,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <description>dependency-check-maven is a Maven Plugin that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the project's dependencies. The plugin will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.</description>
     <inceptionYear>2013</inceptionYear>
     <properties>
-        <version.maven-plugin-plugin>3.6.0</version.maven-plugin-plugin>
+        <version.maven-plugin-plugin>3.6.1</version.maven-plugin-plugin>
     </properties>
     <scm>
         <connection>scm:git:https://github.com/jeremylong/DependencyCheck.git</connection>

diff --git a/pom.xml b/pom.xml
@@ -153,7 +153,7 @@ Copyright (c) 2012 - Jeremy Long
         <commons-compress.version>1.20</commons-compress.version>
         <org.apache.maven.shared.file-management.version>3.0.0</org.apache.maven.shared.file-management.version>
         <maven-plugin-testing-harness.version>3.3.0</maven-plugin-testing-harness.version>
-        <maven-plugin-annotations.version>3.6.0</maven-plugin-annotations.version>
+        <maven-plugin-annotations.version>3.6.1</maven-plugin-annotations.version>
         <maven-reporting-api.version>3.0</maven-reporting-api.version>
         <commons-collections.version>3.2.2</commons-collections.version>
         <org.apache.velocity.version>2.3</org.apache.velocity.version>