Fix null pointer exceptions in session metadata filtering and scan results

Addressed two NPE issues identified by codex autonomous agent:

1. **AssessService** (mcp-d7h): Fixed NullPointerException in search_app_vulnerabilities
   when sessionMetadataValue or metadataItem.getValue() is null.
   - Treat null sessionMetadataValue as wildcard (match on name only)
   - Add null check for metadataItem.getValue() before equalsIgnoreCase
   - Added 2 unit tests covering both null scenarios

2. **SastService** (mcp-dvf): Fixed NullPointerException in get_scan_results when
   project.lastScanId() is null (common for projects with no completed scans).
   - Check if lastScanId is null before calling scans.get()
   - Check if scan is null after retrieval
   - Return descriptive IOException with clear user-facing message
   - Updated existing test + added new test for null scan scenario

All 272 unit tests passing.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: ChrisEdwards

src/main/java/com/contrast/labs/ai/mcp/contrast/AssessService.java

@@ -789,8 +789,18 @@ public PaginatedResponse<VulnLight> searchAppVulnerabilities(
           if (vuln.sessionMetadata() != null) {
             for (SessionMetadata sm : vuln.sessionMetadata()) {
               for (MetadataItem metadataItem : sm.getMetadata()) {
-                if (metadataItem.getDisplayLabel().equalsIgnoreCase(sessionMetadataName)
-                    && metadataItem.getValue().equalsIgnoreCase(sessionMetadataValue)) {
+                // Match on display label (required)
+                var nameMatches =
+                    metadataItem.getDisplayLabel().equalsIgnoreCase(sessionMetadataName);
+
+                // If sessionMetadataValue is null, treat as wildcard (match name only)
+                // Otherwise, both name and value must match
+                var valueMatches =
+                    sessionMetadataValue == null
+                        || (metadataItem.getValue() != null
+                            && metadataItem.getValue().equalsIgnoreCase(sessionMetadataValue));
+
+                if (nameMatches && valueMatches) {
                   filteredVulns.add(vuln);
                   log.debug(
                       "Found matching vulnerability with ID: {} for session metadata {}={}",

src/main/java/com/contrast/labs/ai/mcp/contrast/SastService.java

@@ -93,10 +93,29 @@ public String getLatestScanResult(String projectName) throws IOException {
               .orElseThrow(() -> new IOException("Project not found"));
       log.debug("Found project with id: {}", project.id());
 
+      // Check if project has any completed scans
+      if (project.lastScanId() == null) {
+        var errorMsg =
+            String.format(
+                "No scan results available for project: %s. Project exists but has no completed"
+                    + " scans.",
+                projectName);
+        log.warn(errorMsg);
+        throw new IOException(errorMsg);
+      }
+
       var scans = contrastSDK.scan(orgID).scans(project.id());
       log.debug("Retrieved scans for project, last scan id: {}", project.lastScanId());
 
       var scan = scans.get(project.lastScanId());
+      if (scan == null) {
+        var errorMsg =
+            String.format(
+                "No scan results available for project: %s. Scan ID %s not found.",
+                projectName, project.lastScanId());
+        log.warn(errorMsg);
+        throw new IOException(errorMsg);
+      }
       log.debug("Retrieved scan with id: {}", project.lastScanId());
 
       try (InputStream sarifStream = scan.sarif();

src/test/java/com/contrast/labs/ai/mcp/contrast/AssessServiceTest.java

@@ -1625,6 +1625,164 @@ void searchAppVulnerabilities_should_filter_by_session_metadata_case_insensitive
     verify(mockContrastSDK).getTraces(eq(TEST_ORG_ID), eq(TEST_APP_ID), any(), any());
   }
 
+  @Test
+  void searchAppVulnerabilities_should_treat_null_sessionMetadataValue_as_wildcard_match_any_value()
+      throws Exception {
+    // Given - 3 traces with different values for same metadata name
+    var mockTraces = mock(Traces.class);
+    var traces = new ArrayList<com.contrastsecurity.models.Trace>();
+
+    // Trace 1: has "branch" metadata with value "main"
+    Trace trace1 = mock();
+    when(trace1.getTitle()).thenReturn("SQL Injection vulnerability");
+    when(trace1.getRule()).thenReturn("sql-injection");
+    when(trace1.getUuid()).thenReturn("uuid-1");
+    when(trace1.getSeverity()).thenReturn("HIGH");
+    when(trace1.getLastTimeSeen()).thenReturn(System.currentTimeMillis());
+
+    var sessionMetadata1 = mock(com.contrastsecurity.models.SessionMetadata.class);
+    var metadataItem1 = mock(com.contrastsecurity.models.MetadataItem.class);
+    when(metadataItem1.getDisplayLabel()).thenReturn("branch");
+    // No getValue() stub needed - wildcard test doesn't check values
+    when(sessionMetadata1.getMetadata()).thenReturn(List.of(metadataItem1));
+    when(trace1.getSessionMetadata()).thenReturn(List.of(sessionMetadata1));
+    traces.add(trace1);
+
+    // Trace 2: has "branch" metadata with value "develop"
+    Trace trace2 = mock();
+    when(trace2.getTitle()).thenReturn("XSS vulnerability");
+    when(trace2.getRule()).thenReturn("xss");
+    when(trace2.getUuid()).thenReturn("uuid-2");
+    when(trace2.getSeverity()).thenReturn("MEDIUM");
+    when(trace2.getLastTimeSeen()).thenReturn(System.currentTimeMillis());
+
+    var sessionMetadata2 = mock(com.contrastsecurity.models.SessionMetadata.class);
+    var metadataItem2 = mock(com.contrastsecurity.models.MetadataItem.class);
+    when(metadataItem2.getDisplayLabel()).thenReturn("branch");
+    // No getValue() stub needed - wildcard test doesn't check values
+    when(sessionMetadata2.getMetadata()).thenReturn(List.of(metadataItem2));
+    when(trace2.getSessionMetadata()).thenReturn(List.of(sessionMetadata2));
+    traces.add(trace2);
+
+    // Trace 3: has "environment" metadata (different name, should not match)
+    Trace trace3 = mock();
+    when(trace3.getTitle()).thenReturn("Command Injection vulnerability");
+    when(trace3.getRule()).thenReturn("cmd-injection");
+    when(trace3.getUuid()).thenReturn("uuid-3");
+    when(trace3.getSeverity()).thenReturn("CRITICAL");
+    when(trace3.getLastTimeSeen()).thenReturn(System.currentTimeMillis());
+
+    var sessionMetadata3 = mock(com.contrastsecurity.models.SessionMetadata.class);
+    var metadataItem3 = mock(com.contrastsecurity.models.MetadataItem.class);
+    when(metadataItem3.getDisplayLabel()).thenReturn("environment");
+    // No getValue() stub needed - name doesn't match so value never checked
+    when(sessionMetadata3.getMetadata()).thenReturn(List.of(metadataItem3));
+    when(trace3.getSessionMetadata()).thenReturn(List.of(sessionMetadata3));
+    traces.add(trace3);
+
+    when(mockTraces.getTraces()).thenReturn(traces);
+
+    // Mock SDK to return all 3 traces
+    when(mockContrastSDK.getTraces(eq(TEST_ORG_ID), eq(TEST_APP_ID), any(), any()))
+        .thenReturn(mockTraces);
+
+    // When - search with sessionMetadataName but NULL sessionMetadataValue (wildcard)
+    var result =
+        assessService.searchAppVulnerabilities(
+            TEST_APP_ID,
+            1, // page
+            50, // pageSize
+            null,
+            null,
+            null,
+            null,
+            null,
+            null,
+            null,
+            "branch", // sessionMetadataName
+            null, // sessionMetadataValue = null (wildcard, match any value)
+            null);
+
+    // Then - should return traces 1 and 2 (both have "branch" metadata, regardless of value)
+    assertThat(result.items()).hasSize(2);
+    assertThat(result.items().get(0).vulnID()).isEqualTo("uuid-1");
+    assertThat(result.items().get(1).vulnID()).isEqualTo("uuid-2");
+    assertThat(result.totalItems()).isEqualTo(2);
+
+    // Verify SDK was called
+    verify(mockContrastSDK).getTraces(eq(TEST_ORG_ID), eq(TEST_APP_ID), any(), any());
+  }
+
+  @Test
+  void searchAppVulnerabilities_should_handle_metadata_item_with_null_value() throws Exception {
+    // Given - traces with metadata items that have null values
+    var mockTraces = mock(Traces.class);
+    var traces = new ArrayList<com.contrastsecurity.models.Trace>();
+
+    // Trace 1: has "branch" metadata with NULL value
+    Trace trace1 = mock();
+    when(trace1.getTitle()).thenReturn("SQL Injection vulnerability");
+    when(trace1.getRule()).thenReturn("sql-injection");
+    when(trace1.getUuid()).thenReturn("uuid-1");
+    when(trace1.getSeverity()).thenReturn("HIGH");
+    when(trace1.getLastTimeSeen()).thenReturn(System.currentTimeMillis());
+
+    var sessionMetadata1 = mock(com.contrastsecurity.models.SessionMetadata.class);
+    var metadataItem1 = mock(com.contrastsecurity.models.MetadataItem.class);
+    when(metadataItem1.getDisplayLabel()).thenReturn("branch");
+    when(metadataItem1.getValue()).thenReturn(null); // NULL value
+    when(sessionMetadata1.getMetadata()).thenReturn(List.of(metadataItem1));
+    when(trace1.getSessionMetadata()).thenReturn(List.of(sessionMetadata1));
+    traces.add(trace1);
+
+    // Trace 2: has "branch" metadata with actual value "main"
+    Trace trace2 = mock();
+    when(trace2.getTitle()).thenReturn("XSS vulnerability");
+    when(trace2.getRule()).thenReturn("xss");
+    when(trace2.getUuid()).thenReturn("uuid-2");
+    when(trace2.getSeverity()).thenReturn("MEDIUM");
+    when(trace2.getLastTimeSeen()).thenReturn(System.currentTimeMillis());
+
+    var sessionMetadata2 = mock(com.contrastsecurity.models.SessionMetadata.class);
+    var metadataItem2 = mock(com.contrastsecurity.models.MetadataItem.class);
+    when(metadataItem2.getDisplayLabel()).thenReturn("branch");
+    when(metadataItem2.getValue()).thenReturn("main");
+    when(sessionMetadata2.getMetadata()).thenReturn(List.of(metadataItem2));
+    when(trace2.getSessionMetadata()).thenReturn(List.of(sessionMetadata2));
+    traces.add(trace2);
+
+    when(mockTraces.getTraces()).thenReturn(traces);
+
+    // Mock SDK to return both traces
+    when(mockContrastSDK.getTraces(eq(TEST_ORG_ID), eq(TEST_APP_ID), any(), any()))
+        .thenReturn(mockTraces);
+
+    // When - search with specific value "main"
+    var result =
+        assessService.searchAppVulnerabilities(
+            TEST_APP_ID,
+            1, // page
+            50, // pageSize
+            null,
+            null,
+            null,
+            null,
+            null,
+            null,
+            null,
+            "branch", // sessionMetadataName
+            "main", // sessionMetadataValue = "main"
+            null);
+
+    // Then - should return only trace 2 (trace 1 has null value, doesn't match "main")
+    assertThat(result.items()).hasSize(1);
+    assertThat(result.items().get(0).vulnID()).isEqualTo("uuid-2");
+    assertThat(result.totalItems()).isEqualTo(1);
+
+    // Verify SDK was called and no NullPointerException occurred
+    verify(mockContrastSDK).getTraces(eq(TEST_ORG_ID), eq(TEST_APP_ID), any(), any());
+  }
+
   @Test
   void searchAppVulnerabilities_should_pass_all_standard_filters_to_SDK() throws Exception {
     // Given

src/test/java/com/contrast/labs/ai/mcp/contrast/SastServiceTest.java

@@ -185,7 +185,7 @@ void getLatestScanResult_should_throw_IOException_when_project_not_found() throw
   }
 
   @Test
-  void getLatestScanResult_should_throw_exception_when_lastScanId_is_null() throws IOException {
+  void getLatestScanResult_should_throw_IOException_when_lastScanId_is_null() throws IOException {
     // Arrange
     var projectName = "project-without-scans";
     var mockProject = mock(Project.class);
@@ -205,7 +205,38 @@ void getLatestScanResult_should_throw_exception_when_lastScanId_is_null() throws
 
       // Act & Assert
       assertThatThrownBy(() -> sastService.getLatestScanResult(projectName))
-          .isInstanceOf(NullPointerException.class);
+          .isInstanceOf(IOException.class)
+          .hasMessageContaining("No scan results available")
+          .hasMessageContaining("has no completed scans");
+    }
+  }
+
+  @Test
+  void getLatestScanResult_should_throw_IOException_when_scan_is_null() throws IOException {
+    // Arrange
+    var projectName = "test-project";
+    var mockProject = mock(Project.class);
+    var scanId = "scan-123";
+
+    when(mockProject.name()).thenReturn(projectName);
+    when(mockProject.id()).thenReturn("project-123");
+    when(mockProject.lastScanId()).thenReturn(scanId);
+
+    try (MockedStatic<SDKHelper> sdkHelper = mockStatic(SDKHelper.class)) {
+      sdkHelper
+          .when(() -> SDKHelper.getSDK(any(), any(), any(), any(), any(), any()))
+          .thenReturn(contrastSDK);
+      when(contrastSDK.scan(any())).thenReturn(scanManager);
+      when(scanManager.projects()).thenReturn(projects);
+      when(scanManager.scans(any())).thenReturn(scans);
+      when(projects.findByName(projectName)).thenReturn(Optional.of(mockProject));
+      when(scans.get(scanId)).thenReturn(null);
+
+      // Act & Assert
+      assertThatThrownBy(() -> sastService.getLatestScanResult(projectName))
+          .isInstanceOf(IOException.class)
+          .hasMessageContaining("No scan results available")
+          .hasMessageContaining("Scan ID " + scanId + " not found");
     }
   }