NullPointerException with "Failed to process CVE-2022-38176" when processing NVD API data

**Describe the bug**

During a regular run ODC logged the below

```
Failed to process CVE-2022-38176
java.lang.NullPointerException
	at java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273)
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
	at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179)
	at java.base/java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1685)
	at java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:280)
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
	at java.base/java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1685)
	at java.base/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:129)
	at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:527)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:513)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
	at java.base/java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:230)
	at java.base/java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:196)
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.base/java.util.stream.ReferencePipeline.anyMatch(ReferencePipeline.java:632)
	at org.owasp.dependencycheck.data.nvdcve.CveItemOperator.testCveCpeStartWithFilter(CveItemOperator.java:229)
	at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability(CveDB.java:1096)
	at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.updateCveDb(NvdApiProcessor.java:119)
	at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call(NvdApiProcessor.java:96)
	at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call(NvdApiProcessor.java:40)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
	at java.base/java.lang.Thread.run(Thread.java:1583)
```

The run otherwise continued without issue.

https://nvd.nist.gov/vuln/detail/CVE-2022-38176#VulnChangeHistorySection

Not sure what caused the NPE, at time of writing the CPE looks like the below and claims it has a CPE deprecation remap however the "old" and "new" CPEs are identical:

![image](https://github.com/user-attachments/assets/98d243db-66a2-40e0-ae58-0d95f30c898c)

Looks similar to https://github.com/jeremylong/DependencyCheck/issues/6913 and not really sure how the NPE is happening given the code below, unless there is multiple threads acting on the same CPE object.

https://github.com/jeremylong/DependencyCheck/blob/59147b0af151676b46a3116a270f7bd785afb838/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperator.java#L228-L229

**Version of dependency-check used**
11.0.0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

NullPointerException with "Failed to process CVE-2022-38176" when processing NVD API data #7121

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

NullPointerException with "Failed to process CVE-2022-38176" when processing NVD API data #7121

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions