Fix NPE when querying component metadata for projects without findings

The method to bulk query component metadata turned out to return metadata for all components when given an empty list is input. Trying to correlate the returned data with the non-existent findings caused a NPE. Signed-off-by: nscuro <nscuro@protonmail.com>
DependencyTrack · Jun 26, 2024 · 6727a14 · 6727a14
1 parent 6def612
commit 6727a14
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 0 deletions.
diff --git a/src/main/java/org/dependencytrack/persistence/RepositoryQueryManager.java b/src/main/java/org/dependencytrack/persistence/RepositoryQueryManager.java
@@ -31,6 +31,7 @@
 import javax.jdo.Query;
 import java.io.Serializable;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -256,6 +257,10 @@ public synchronized RepositoryMetaComponent synchronizeRepositoryMetaComponent(
      * @since 4.9.0
      */
     public List<RepositoryMetaComponent> getRepositoryMetaComponents(final List<RepositoryQueryManager.RepositoryMetaComponentSearch> list) {
+        if (list == null || list.isEmpty()) {
+            return Collections.emptyList();
+        }
+
         final Query<RepositoryMetaComponent> query = pm.newQuery(RepositoryMetaComponent.class);
 
         // Dynamically build the filter string and populate the parameters

diff --git a/src/test/java/org/dependencytrack/resources/v1/FindingResourceTest.java b/src/test/java/org/dependencytrack/resources/v1/FindingResourceTest.java
@@ -49,6 +49,7 @@
 
 import static net.javacrumbs.jsonunit.assertj.JsonAssertions.assertThatJson;
 import static net.javacrumbs.jsonunit.assertj.JsonAssertions.json;
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.dependencytrack.resources.v1.FindingResource.MEDIA_TYPE_SARIF_JSON;
 import static org.hamcrest.CoreMatchers.equalTo;
 
@@ -118,6 +119,29 @@ public void getFindingsByProjectTest() {
         Assert.assertEquals(p1.getUuid().toString() + ":" + c2.getUuid().toString() + ":" + v3.getUuid().toString(), json.getJsonObject(2).getString("matrix"));
     }
 
+    @Test
+    public void getFindingsByProjectEmptyTest() {
+        final var metaComponent = new RepositoryMetaComponent();
+        metaComponent.setRepositoryType(RepositoryType.MAVEN);
+        metaComponent.setNamespace("com.acme");
+        metaComponent.setName("acme-lib");
+        metaComponent.setLatestVersion("1.2.3");
+        metaComponent.setLastCheck(new Date());
+        qm.persist(metaComponent);
+
+        final var project = new Project();
+        project.setName("acme-app");
+        qm.persist(project);
+
+        final Response response = jersey.target(V1_FINDING + "/project/" + project.getUuid())
+                .request()
+                .header(X_API_KEY, apiKey)
+                .get();
+        assertThat(response.getStatus()).isEqualTo(200);
+        assertThat(response.getHeaderString(TOTAL_COUNT_HEADER)).isEqualTo("0");
+        assertThat(getPlainTextBody(response)).isEqualTo("[]");
+    }
+
     @Test
     public void getFindingsByProjectInvalidTest() {
         Response response = jersey.target(V1_FINDING + "/project/" + UUID.randomUUID().toString()).request()