NullPointerException related to OSV download and parsing (UBUNTU ecosystem) #5105
Description
Current Behavior
I have noticed the following ERROR entries in the api server logs after activating the OSV download (line 2 and 3):
2025-07-07 11:19:51,331 DEBUG [OsvDownloadTask] Synchronizing Google OSV advisory: UBUNTU-CVE-2025-6275 [osvEcosystem=Ubuntu, vulnId=UBUNTU-CVE-2025-6275]
2025-07-07 11:19:51,332 ERROR [OsvDownloadTask] Failed to process advisory [osvEcosystem=Ubuntu, vulnId=UBUNTU-CVE-2025-6297]
java.lang.NullPointerException: null
2025-07-07 11:19:51,332 DEBUG [OsvDownloadTask] Synchronizing Google OSV advisory: UBUNTU-CVE-2025-6375 [osvEcosystem=Ubuntu, vulnId=UBUNTU-CVE-2025-6375]
2025-07-07 11:19:51,334 DEBUG [OsvDownloadTask] Synchronizing Google OSV advisory: UBUNTU-CVE-2025-6424 [osvEcosystem=Ubuntu, vulnId=UBUNTU-CVE-2025-6424]
2025-07-07 11:19:51,335 DEBUG [OsvDownloadTask] Synchronizing Google OSV advisory: UBUNTU-CVE-2025-6425 [osvEcosystem=Ubuntu, vulnId=UBUNTU-CVE-2025-6425]
2025-07-07 11:19:51,337 DEBUG [OsvDownloadTask] Synchronizing Google OSV advisory: UBUNTU-CVE-2025-6426 [osvEcosystem=Ubuntu, vulnId=UBUNTU-CVE-2025-6426]
as well as some like this:
2025-07-07 11:57:52,965 ERROR [OsvDownloadTask] Failed to process advisory [osvEcosystem=Ubuntu, vulnId=UBUNTU-CVE-2015-1350]
java.lang.NullPointerException: Cannot invoke "String.equalsIgnoreCase(String)" because "type" is null
at org.dependencytrack.parser.osv.OsvAdvisoryParser.parse(OsvAdvisoryParser.java:99)
at org.dependencytrack.tasks.OsvDownloadTask.unzipFolder(OsvDownloadTask.java:155)
at org.dependencytrack.tasks.OsvDownloadTask.inform(OsvDownloadTask.java:124)
at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:110)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
I investigated the affected advisory files (all related to the UBUNTU ecosystem) and found the following commonality between the affected ones:
They all contain items in the severity array which do not have a type.
{
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
},
{
"score": "low"
}
]
}I think that this item with just a score is supposed to represent the ubuntu priority which they also list on the advisory page (for example here)
This is only the case for a smaller subset of these advisories, most of them include this score in the ubuntu_priority of the ecosystem_specific object or don't have it at all.
I found that the OsvAdvisoryParser.parse() method does not check if type is null, before accessing it, so a fix would be simple: if type is null, don't process this item of the severity array and continue. As far as I could find out, the ubuntu_priority is not used in DT, right?
But I am wondering why the import of these advisories has still worked at some point (they are present when I look for them in the frontend), and why this issue has not yet been reported here, because some of the affected advisories are very old. Did something else change recently?
Also I am aware that OSV mirroring is still marked as "beta".
Steps to Reproduce
- Activate Google OSV Advisory mirroring
- Set the DT api server loglevel to DEBUG (optional)
- Select the "Ubuntu" ecosystem (at least)
- Observe the logs for errors while the mirroring process is running
Expected Behavior
No exceptions appear in the logs (especially no java.lang.NullPointerException: null) and the OSV mirroring works as expected.
Dependency-Track Version
4.13.2
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
17.4 alpine
Browser
Google Chrome
Checklist
- I have read and understand the contributing guidelines
- I have checked the existing issues for whether this defect was already reported