Fix exception when handling certain OSV advisories

Do not attempt to calculate the severity of an advisory that has no CVSS vectors, no explicit severity, and no affected packages. Signed-off-by: Peter Kimball <4459325+peterakimball@users.noreply.github.com>
DependencyTrack · Sep 30, 2024 · 0fa5f3a · 0fa5f3a
1 parent 83ff166
commit 0fa5f3a
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/src/main/java/org/dependencytrack/tasks/OsvDownloadTask.java b/src/main/java/org/dependencytrack/tasks/OsvDownloadTask.java
@@ -290,14 +290,13 @@ public Severity calculateOSVSeverity(OsvAdvisory advisory) {
             }
         }
         // get largest ecosystem_specific severity from its affected packages
-        if (advisory.getAffectedPackages() != null) {
+        if (!advisory.getAffectedPackages().isEmpty()) {
             List<Integer> severityLevels = new ArrayList<>();
             for (OsvAffectedPackage vuln : advisory.getAffectedPackages()) {
                 severityLevels.add(vuln.getSeverity().getLevel());
             }
             Collections.sort(severityLevels);
-            Collections.reverse(severityLevels);
-            return getSeverityByLevel(severityLevels.get(0));
+            return getSeverityByLevel(severityLevels.getLast());
         }
         return Severity.UNASSIGNED;
     }