Merge pull request #1847 from DependencyTrack/add-null-checks-in-nvd-parser

Author: nscuro

mirror-service/src/main/java/org/dependencytrack/vulnmirror/datasource/nvd/NvdToCyclonedxParser.java

@@ -131,12 +131,14 @@ private static List<CpeMatch> extractCpeMatches(final String cveId, final List<C
                 // We can't compute negation.
                 .filter(config -> config.getNegate() == null || !config.getNegate())
                 .map(Config::getNodes)
+                .filter(Objects::nonNull)
                 .flatMap(Collection::stream)
                 // We can't compute negation.
                 .filter(node -> node.getNegate() == null || !node.getNegate())
                 .filter(node -> node.getCpeMatch() != null)
-                .map(node -> extractCpeMatchesFromNode(cveId, node))
+                .map(node -> Optional.ofNullable(extractCpeMatchesFromNode(cveId, node)).orElse(List.of()))
                 .flatMap(Collection::stream)
+                .filter(Objects::nonNull)
                 // We currently have no interest in non-vulnerable versions.
                 .filter(cpeMatch -> cpeMatch.getVulnerable() == null || cpeMatch.getVulnerable())
                 .toList();
@@ -370,9 +372,11 @@ private static List<Integer> parseCwes(List<Weakness> weaknesses) {
 
     private static List<ExternalReference> parseReferences(List<Reference> references) {
         List<ExternalReference> externalReferences = new ArrayList<>();
-        references.forEach(reference -> externalReferences.add(ExternalReference.newBuilder()
-                .setUrl(reference.getUrl())
-                .build()));
+        if (references != null) {
+            references.forEach(reference -> externalReferences.add(ExternalReference.newBuilder()
+                    .setUrl(reference.getUrl())
+                    .build()));
+        }
         return externalReferences;
     }