SONAR-23485 Fix NPE when importing FOSSA CVEs

Make published_at and last_modified_at nullable
author: Julien HENRY <julien.henry@sonarsource.com> 2024-10-28 12:56:36 +0100
committer: sonartech <sonartech@sonarsource.com> 2024-10-29 20:02:49 +0000
commit: 122be7bb5860e7d4d643fbce2e5d5b153da8714c (patch)
tree: 5bdee4e1f4cfeb2bd0516e8d398c11aedf91f7ed /server/sonar-ce-task-projectanalysis
parent: 62721916c9f1e0b2ca9a6fa3a3fbc3907834f531 (diff)
download: sonarqube-122be7bb5860e7d4d643fbce2e5d5b153da8714c.tar.gz
sonarqube-122be7bb5860e7d4d643fbce2e5d5b153da8714c.zip
2 files changed, 45 insertions, 31 deletions
diff --git a/server/sonar-ce-task-projectanalysis/src/it/java/org/sonar/ce/task/projectanalysis/step/PersistCveStepIT.java b/server/sonar-ce-task-projectanalysis/src/it/java/org/sonar/ce/task/projectanalysis/step/PersistCveStepIT.java
index ad030ca4d77..faca0e5bfe6 100644
--- a/server/sonar-ce-task-projectanalysis/src/it/java/org/sonar/ce/task/projectanalysis/step/PersistCveStepIT.java
+++ b/server/sonar-ce-task-projectanalysis/src/it/java/org/sonar/ce/task/projectanalysis/step/PersistCveStepIT.java
@@ -67,12 +67,14 @@ class PersistCveStepIT {
   void execute_shouldInsertNewCVEs() {
     Cve cve1 = buildCve("1").build();
     Cve cve2 = buildCve("2").build();
-    batchReportReader.putCves(List.of(cve1, cve2));
+    Cve cveAllOptionalEmpty = Cve.newBuilder().setCveId("CVE-empty").setDescription("Empty CVE").build();
+    batchReportReader.putCves(List.of(cve1, cve2, cveAllOptionalEmpty));
 
     persistCveStep.execute(new TestComputationStepContext());
 
     assertCvePersistedInDatabase(cve1);
     assertCvePersistedInDatabase(cve2);
+    assertCvePersistedInDatabase(cveAllOptionalEmpty);
   }
 
   private void assertCvePersistedInDatabase(Cve cve) {
@@ -80,11 +82,31 @@ class PersistCveStepIT {
       .orElseGet(() -> fail(String.format("CVE with id %s not found", cve.getCveId())));
     assertThat(cveDto.id()).isEqualTo(cve.getCveId());
     assertThat(cveDto.description()).isEqualTo(cve.getDescription());
-    assertThat(cveDto.cvssScore()).isEqualTo(cve.getCvssScore());
-    assertThat(cveDto.epssScore()).isEqualTo(cve.getEpssScore());
-    assertThat(cveDto.epssPercentile()).isEqualTo(cve.getEpssPercentile());
-    assertThat(cveDto.publishedAt()).isEqualTo(cve.getPublishedDate());
-    assertThat(cveDto.lastModifiedAt()).isEqualTo(cve.getLastModifiedDate());
+    if (cve.hasCvssScore()) {
+      assertThat(cveDto.cvssScore()).isEqualTo(cve.getCvssScore());
+    } else {
+      assertThat(cveDto.cvssScore()).isNull();
+    }
+    if (cve.hasEpssScore()) {
+      assertThat(cveDto.epssScore()).isEqualTo(cve.getEpssScore());
+    } else {
+      assertThat(cveDto.epssScore()).isNull();
+    }
+    if (cve.hasEpssPercentile()) {
+      assertThat(cveDto.epssPercentile()).isEqualTo(cve.getEpssPercentile());
+    } else {
+      assertThat(cveDto.epssPercentile()).isNull();
+    }
+    if (cve.hasPublishedDate()) {
+      assertThat(cveDto.publishedAt()).isEqualTo(cve.getPublishedDate());
+    } else {
+      assertThat(cveDto.publishedAt()).isNull();
+    }
+    if (cve.hasLastModifiedDate()) {
+      assertThat(cveDto.lastModifiedAt()).isEqualTo(cve.getLastModifiedDate());
+    } else {
+      assertThat(cveDto.lastModifiedAt()).isNull();
+    }
     assertThat(cveDto.uuid()).isNotBlank();
     assertThat(cveDto.createdAt()).isNotNull();
     assertThat(cveDto.updatedAt()).isNotNull();
@@ -92,8 +114,8 @@ class PersistCveStepIT {
 
   @Test
   void execute_shoudUpdateExistingCves() {
-    dbClient.cveDao().insert(dbSession, new CveDto("cve-uuid-1", "CVE-1", "Old description 1", 0.0F, 0.0F, 0.0F, 0L, 0L, 0L, 0L));
-    dbClient.cveDao().insert(dbSession, new CveDto("cve-uuid-2", "CVE-2", "Old description 2", 0.0F, 0.0F, 0.0F, 0L, 0L, 0L, 0L));
+    dbClient.cveDao().insert(dbSession, new CveDto("cve-uuid-1", "CVE-1", "Old description 1", 10.0, 20.0, 30.0, 0L, 0L, 0L, 0L));
+    dbClient.cveDao().insert(dbSession, new CveDto("cve-uuid-2", "CVE-2", "Old description 2", null, null, null, null, null, 0L, 0L));
     db.commit();
     Cve cve1 = buildCve("1").build();
     Cve cve2 = buildCve("2").build();
@@ -120,7 +142,7 @@ class PersistCveStepIT {
 
   @Test
   void execute_shouldUpdateExistingCwesAndInsertNewOnes_whenUpdatingCVEs() {
-    dbClient.cveDao().insert(dbSession, new CveDto("cve-uuid-1", "CVE-1", "Old description 1", 0.0F, 0.0F, 0.0F, 0L, 0L, 0L, 0L));
+    dbClient.cveDao().insert(dbSession, new CveDto("cve-uuid-1", "CVE-1", "Old description 1", 0.0, 0.0, 0.0, 0L, 0L, 0L, 0L));
     dbClient.cveCweDao().insert(dbSession, new CveCweDto("cve-uuid-1", "CWE-1"));
     dbClient.cveCweDao().insert(dbSession, new CveCweDto("cve-uuid-1", "CWE-2"));
     db.commit();
diff --git a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/PersistCveStep.java b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/PersistCveStep.java
index 34bd2ad9a3f..304c7280e7a 100644
--- a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/PersistCveStep.java
+++ b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/PersistCveStep.java
@@ -64,7 +64,7 @@ public class PersistCveStep implements ComputationStep {
   public void execute(Context context) {
     int count = 0;
     try (DbSession dbSession = dbClient.openSession(false);
-         CloseableIterator<ScannerReport.Cve> batchCves = batchReportReader.readCves()) {
+      CloseableIterator<ScannerReport.Cve> batchCves = batchReportReader.readCves()) {
       while (batchCves.hasNext()) {
         updateOrInsertCve(dbSession, batchCves.next());
         count++;
@@ -91,18 +91,7 @@ public class PersistCveStep implements ComputationStep {
   }
 
   private CveDto toDtoForUpdate(ScannerReport.Cve cve, CveDto cveInDb) {
-    return new CveDto(
-      cveInDb.uuid(),
-      cve.getCveId(),
-      cve.getDescription(),
-      cve.getCvssScore(),
-      cve.getEpssScore(),
-      cve.getEpssPercentile(),
-      cve.getPublishedDate(),
-      cve.getLastModifiedDate(),
-      cveInDb.createdAt(),
-      system2.now()
-    );
+    return toDto(cve, cveInDb.uuid(), cveInDb.createdAt(), system2.now());
   }
 
   private void deleteThenInsertCwesIfUpdated(DbSession dbSession, ScannerReport.Cve scannerCve, String cveUuid) {
@@ -122,18 +111,21 @@ public class PersistCveStep implements ComputationStep {
 
   private CveDto toDtoForInsert(ScannerReport.Cve cve) {
     long now = system2.now();
+    return toDto(cve, uuidFactory.create(), now, now);
+  }
+
+  private static CveDto toDto(ScannerReport.Cve cve, String uuid, Long createdAt, Long updatedAt) {
     return new CveDto(
-      uuidFactory.create(),
+      uuid,
       cve.getCveId(),
       cve.getDescription(),
-      cve.getCvssScore(),
-      cve.getEpssScore(),
-      cve.getEpssPercentile(),
-      cve.getPublishedDate(),
-      cve.getLastModifiedDate(),
-      now,
-      now
-    );
+      cve.hasCvssScore() ? cve.getCvssScore() : null,
+      cve.hasEpssScore() ? cve.getEpssScore() : null,
+      cve.hasEpssPercentile() ? cve.getEpssPercentile() : null,
+      cve.hasPublishedDate() ? cve.getPublishedDate() : null,
+      cve.hasLastModifiedDate() ? cve.getLastModifiedDate() : null,
+      createdAt,
+      updatedAt);
   }
 
 }
author	Julien HENRY <julien.henry@sonarsource.com>	2024-10-28 12:56:36 +0100
committer	sonartech <sonartech@sonarsource.com>	2024-10-29 20:02:49 +0000
commit	122be7bb5860e7d4d643fbce2e5d5b153da8714c (patch)
tree	5bdee4e1f4cfeb2bd0516e8d398c11aedf91f7ed /server/sonar-ce-task-projectanalysis
parent	62721916c9f1e0b2ca9a6fa3a3fbc3907834f531 (diff)
download	sonarqube-122be7bb5860e7d4d643fbce2e5d5b153da8714c.tar.gz sonarqube-122be7bb5860e7d4d643fbce2e5d5b153da8714c.zip