TrivyAnalysisTask throws a NullPointerException for SBOM with component that does not have a PURL defined #4664
Description
Current Behavior
I generated a CycloneDX v1.5 SBOM using Trivy for container image: jenkins/inbound-agent:latest (sbom attached) and uploaded it through the Dependency Track UI. The Trivy analyzer throws an NPE because the component list has a component with no PURL defined.
2025-02-18 18:55:08,189 ERROR [VulnerabilityAnalysisTask] Failed to analyze project [eventToken=88788128-ae94-4fea-9733-8161a5b3ef5f]
java.lang.NullPointerException: Cannot invoke "com.github.packageurl.PackageURL.getCoordinates()" because "packageUrl" is null
at org.dependencytrack.tasks.scanners.TrivyAnalysisTask.lambda$shouldAnalyze$2(TrivyAnalysisTask.java:337)
at java.base/java.util.Optional.map(Unknown Source)
at org.dependencytrack.tasks.scanners.TrivyAnalysisTask.shouldAnalyze(TrivyAnalysisTask.java:337)
at org.dependencytrack.tasks.VulnerabilityAnalysisTask.analyzeComponents(VulnerabilityAnalysisTask.java:241)
at org.dependencytrack.tasks.VulnerabilityAnalysisTask.analyzeProject(VulnerabilityAnalysisTask.java:167)
at org.dependencytrack.tasks.VulnerabilityAnalysisTask.analyzeProject(VulnerabilityAnalysisTask.java:202)
at org.dependencytrack.tasks.VulnerabilityAnalysisTask.inform(VulnerabilityAnalysisTask.java:85)
at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:110)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
sbom-jenkins-inbound-agent.json
The SBOM is valid and the component PURL is an optional attribute.
Follow-on issue: I manually removed the offending component from the SBOM and tried to process the modified SBOM and it threw a different NPE:
java.lang.NullPointerException: Cannot invoke "java.util.List.iterator()" because the return value of "org.dependencytrack.model.Component.getProperties()" is null
at org.dependencytrack.tasks.scanners.TrivyAnalysisTask.analyze(TrivyAnalysisTask.java:254)
at org.dependencytrack.tasks.scanners.TrivyAnalysisTask.inform(TrivyAnalysisTask.java:162)
at org.dependencytrack.tasks.VulnerabilityAnalysisTask.analyzeComponents(VulnerabilityAnalysisTask.java:282)
at org.dependencytrack.tasks.VulnerabilityAnalysisTask.analyzeProject(VulnerabilityAnalysisTask.java:167)
at org.dependencytrack.tasks.VulnerabilityAnalysisTask.analyzeProject(VulnerabilityAnalysisTask.java:202)
at org.dependencytrack.tasks.VulnerabilityAnalysisTask.inform(VulnerabilityAnalysisTask.java:85)
at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:110)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
I could not find the cause of the follow-on issue.
Steps to Reproduce
- I'm running dtrack with docker compose with the trivy container and the Trivy analyzer enabled.
- Upload the SBOM via the UI for a project
- No error seen, but no vulnerabilities show up. Trivy itself it never called.
- See the apiserver container log to see the NPE.
Expected Behavior
I would expect the Trivy Analyzer to honor the format schemas for optional attributes on valid SBOMs.
Dependency-Track Version
4.12.5
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
16
Browser
Google Chrome
Checklist
- I have read and understand the contributing guidelines
- I have checked the existing issues for whether this defect was already reported