fix: npe when processing cve with empty configuration (#7888)

Author: timnieder

core/src/main/java/org/owasp/dependencycheck/data/nvd/ecosystem/CveEcosystemMapper.java

@@ -84,6 +84,7 @@ public String getEcosystem(DefCveItem cve) {
     private boolean hasMultipleVendorProductConfigurations(DefCveItem cve) {
         if (cve.getCve().getConfigurations() != null && !cve.getCve().getConfigurations().isEmpty()) {
             final List<CpeMatch> cpeEntries = cve.getCve().getConfigurations().stream()
+                    .filter(config -> config.getNodes() != null)
                     .map(Config::getNodes)
                     .flatMap(List::stream)
                     .filter(cpe -> cpe.getCpeMatch() != null)

core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java

@@ -1611,6 +1611,7 @@ private List<VulnerableSoftware> parseCpes(DefCveItem cve) throws CpeValidationE
         final List<VulnerableSoftware> software = new ArrayList<>();
 
         final List<CpeMatch> cpeEntries = cve.getCve().getConfigurations().stream()
+                .filter(config -> config.getNodes() != null)
                 .map(Config::getNodes)
                 .flatMap(List::stream)
                 .map(Node::getCpeMatch)

core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperator.java

@@ -222,6 +222,7 @@ boolean testCveCpeStartWithFilter(final DefCveItem cve) {
         if (cve.getCve().getConfigurations() != null) {
             //cycle through to see if this is a CPE we care about (use the CPE filters
             return cve.getCve().getConfigurations().stream()
+                    .filter(config -> config.getNodes() != null)
                     .map(Config::getNodes)
                     .flatMap(List::stream)
                     .filter(Objects::nonNull)