fix: Gracefully handle CVEs with bad configuration nodes missing CPE …

…match expressions (#7125) Signed-off-by: Chad Wilson <chadw@thoughtworks.com>
jeremylong · Nov 4, 2024 · 25606aa · 25606aa
1 parent 8e000dd
commit 25606aa
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 3 deletions.
diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperator.java b/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperator.java
@@ -18,6 +18,8 @@
 package org.owasp.dependencycheck.data.nvdcve;
 
 import io.github.jeremylong.openvulnerability.client.nvd.Config;
+
+import java.util.Objects;
 import java.util.stream.Collectors;
 import org.owasp.dependencycheck.data.nvd.ecosystem.Ecosystem;
 
@@ -219,15 +221,15 @@ public boolean isRejected(String description) {
     boolean testCveCpeStartWithFilter(final DefCveItem cve) {
         if (cve.getCve().getConfigurations() != null) {
             //cycle through to see if this is a CPE we care about (use the CPE filters
-            final boolean result = cve.getCve().getConfigurations().stream()
+            return cve.getCve().getConfigurations().stream()
                     .map(Config::getNodes)
                     .flatMap(List::stream)
-                    .filter(node -> node != null)
+                    .filter(Objects::nonNull)
                     .map(Node::getCpeMatch)
+                    .filter(Objects::nonNull)
                     .flatMap(List::stream)
                     .filter(cpe -> cpe != null && cpe.getCriteria() != null)
                     .anyMatch(cpe -> cpe.getCriteria().startsWith(cpeStartsWithFilter));
-            return result;
         }
         return false;
     }

diff --git a/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperatorTest.java b/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperatorTest.java
@@ -33,6 +33,7 @@
 import java.util.ArrayList;
 import java.util.List;
 import org.junit.Test;
+
 import static org.junit.Assert.*;
 
 /**
@@ -89,4 +90,31 @@ public void testTestCveCpeStartWithFilter() {
 
     }
 
+    @Test
+    public void testTestCveCpeStartWithFilterForConfigurationWithoutCpeMatches() {
+        ZonedDateTime published = ZonedDateTime.now();
+        ZonedDateTime lastModified = ZonedDateTime.now();
+        LocalDate cisaExploitAdd = null;
+        LocalDate cisaActionDue = null;
+        List<CveTag> cveTags = null;
+        List<LangString> descriptions = null;
+        List<Reference> references = null;
+        Metrics metrics = null;
+        List<Weakness> weaknesses = null;
+
+        Node noCpeMatches = new Node(Node.Operator.OR, null, null);
+        Config c = new Config(Config.Operator.AND, null, List.of(noCpeMatches));
+        List<VendorComment> vendorComments = null;
+        CveItem cveItem = new CveItem("id", "sourceIdentifier", "vulnStatus", published, lastModified,
+                "evaluatorComment", "evaluatorSolution", "evaluatorImpact", cisaExploitAdd, cisaActionDue,
+                "cisaRequiredAction", "cisaVulnerabilityName", cveTags, descriptions, references, metrics,
+                weaknesses, List.of(c), vendorComments);
+
+        DefCveItem cve = new DefCveItem(cveItem);
+        CveItemOperator instance = new CveItemOperator("cpe:2.3:o:");
+        boolean expResult = false;
+        boolean result = instance.testCveCpeStartWithFilter(cve);
+        assertEquals(expResult, result);
+    }
+
 }