Fix: NullPointerException on Commercial Average Scorecard (#268)#287
Open
TheAuditorTool wants to merge 1 commit intoOWASP-Benchmark:mainfrom
Open
Fix: NullPointerException on Commercial Average Scorecard (#268)#287TheAuditorTool wants to merge 1 commit intoOWASP-Benchmark:mainfrom
TheAuditorTool wants to merge 1 commit intoOWASP-Benchmark:mainfrom
Conversation
TheAuditorTool
force-pushed
the
fix/268-npe-commercial-ave-scorecard
branch
from
19f97d1 to
923ced1
Compare
Contributor
|
@davewichers as noted by @TheAuditorTool, this is a symptom fix (just like the one described in the issue). This PR is probably a little cleaner than the issue, but as described, it will not fix the actual cause. We should clarify the expected behaviour some day. |
…lookup (OWASP-Benchmark#268) BenchmarkScore.java:965 passed scoreCardDir (a java.io.File representing the filesystem output directory) to getResourceAsStream(), which expects a classpath resource path. With the default config (resultsfileordir: "results"), File.toString() accidentally produces "scorecard" — matching the classpath prefix. But any nested resultsfileordir path (e.g. "some/dir/results") causes getParent() to return a non-null prefix, producing an invalid classpath like "some/dir/scorecard/commercialAveTemplate.html", which resolves to null and throws NullPointerException. Fix: use the SCORECARDDIRNAME constant ("scorecard"), consistent with ToolReport.java:64 and the vulntemplate loading at line 910.
TheAuditorTool
force-pushed
the
fix/268-npe-commercial-ave-scorecard
branch
from
923ced1 to
2d7a916
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix: NullPointerException on Commercial Average Scorecard (#268)
Closes #268
What Changed
One line in
plugin/src/main/java/org/owasp/benchmarkutils/score/BenchmarkScore.java(line 965):Why It Was Broken
scoreCardDiris ajava.io.Fileobject representing the filesystem output directory.getResourceAsStream()expects a classpath resource path. These are two completely different things.When Java evaluates
scoreCardDir + "/commercialAveTemplate.html", it callsFile.toString(), which returns a filesystem path. That filesystem path gets passed togetResourceAsStream(), which looks for it on the classpath, doesn't find it, and returnsnull. ThenIOUtils.toString(null)throws the NullPointerException.Why It Worked Before (By Accident)
With the default config (
resultsfileordir: "results"):new File("results").getParent()returnsnullbecause"results"is a single path component with no parent directorynew File(null, "scorecard")collapses to justFile("scorecard")File("scorecard").toString()produces"scorecard"getResourceAsStream("scorecard/commercialAveTemplate.html")finds the resource because it happens to live at that classpathThe filesystem directory name and the classpath resource path matched by pure coincidence.
Why It Breaks With Nested Paths
When a user provides a nested
resultsfileordirin their YAML config (e.g."some/dir/results"):new File("some/dir/results").getParent()returns"some/dir"scoreCardDirbecomesFile("some/dir/scorecard")scoreCardDir.toString()produces"some/dir/scorecard"getResourceAsStream("some/dir/scorecard/commercialAveTemplate.html")finds nothing, returnsnull, and the NPE followsThis is why Dave and darkspirit510 could not reproduce it. They tested with the default config, which has no nested path.
Why The Reporter's Original Patch Was Symptom-Only
The reporter proposed hardcoding
"scorecard/commercialAveTemplate.html". That would fix the NPE, but as darkspirit510 correctly noted, the deeper issue is that nestedresultsfileordirpaths are not fully supported in BenchmarkUtils. This fix addresses the NPE only. Broader nested-path support is a separate effort.How The Fix Works
The codebase already has a constant
SCORECARDDIRNAME = "scorecard"(line 88) used for exactly this purpose elsewhere:SCORECARDDIRNAME + "/template.html""scorecard/vulntemplate.html"scoreCardDir + "/commercialAveTemplate.html"The fix replaces
scoreCardDirwithSCORECARDDIRNAME, making line 965 consistent with the two working patterns. The classpath lookup now always produces"scorecard/commercialAveTemplate.html"regardless of what filesystem path the user configures.