Fix NPE when cloning projects with broken dependency graph

Fixes #4413 Signed-off-by: nscuro <nscuro@protonmail.com>
2025-10-19 16:03:19 +00:00 · 2024-11-27 19:51:50 +01:00 · 2024-11-27 19:51:50 +01:00 · 297b192f91
commit 297b192f91
parent 193d0f9c93
2 changed files with 68 additions and 2 deletions
--- a/src/main/java/org/dependencytrack/persistence/ProjectQueryManager.java
+++ b/src/main/java/org/dependencytrack/persistence/ProjectQueryManager.java
@ -711,7 +711,19 @@ final class ProjectQueryManager extends QueryManager implements IQueryManager {
                String directDependencies = project.getDirectDependencies();
                for (final UUID sourceComponentUuid : projectDirectDepsSourceComponentUuids) {
                    final UUID clonedComponentUuid = clonedComponentUuidBySourceComponentUuid.get(sourceComponentUuid);
-                    directDependencies = directDependencies.replace(sourceComponentUuid.toString(), clonedComponentUuid.toString());
+                    if (clonedComponentUuid != null) {
+                        directDependencies = directDependencies.replace(
+                                sourceComponentUuid.toString(), clonedComponentUuid.toString());
+                    } else {
+                        // NB: This may happen when the source project itself is a clone,
+                        // and it was cloned before DT v4.12.0.
+                        // https://github.com/DependencyTrack/dependency-track/pull/4171
+                        LOGGER.warn("""
+                                The source project's directDependencies refer to a component with UUID \
+                                %s, which does not exist in the project. The cloned project's dependency graph \
+                                may be broken as a result. A BOM upload will resolve the issue.\
+                                """.formatted(sourceComponentUuid));
+                    }
                }

                project.setDirectDependencies(directDependencies);
@ -724,7 +736,16 @@ final class ProjectQueryManager extends QueryManager implements IQueryManager {
                String directDependencies = component.getDirectDependencies();
                for (final UUID sourceComponentUuid : sourceComponentUuids) {
                    final UUID clonedComponentUuid = clonedComponentUuidBySourceComponentUuid.get(sourceComponentUuid);
-                    directDependencies = directDependencies.replace(sourceComponentUuid.toString(), clonedComponentUuid.toString());
+                    if (clonedComponentUuid != null) {
+                        directDependencies = directDependencies.replace(
+                                sourceComponentUuid.toString(), clonedComponentUuid.toString());
+                    } else {
+                        LOGGER.warn("""
+                                The directDependencies of component %s refer to a component with UUID \
+                                %s, which does not exist in the source project. The cloned project's dependency graph \
+                                may be broken as a result. A BOM upload will resolve the issue.\
+                                """.formatted(component, sourceComponentUuid));
+                    }
                }

                component.setDirectDependencies(directDependencies);