fix: resolve NPE when processing CVE-2025-2682 (#7558)

jeremylong · web-flow · commit 686e1cfd0a33 · 2025-03-30T06:15:49.000-04:00
diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java b/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
@@ -1090,7 +1090,7 @@ public void updateVulnerability(DefCveItem cve, String baseEcosystem) {
         clearCache();
         final String cveId = cve.getCve().getId();
         try {
-            if (cve.getCve().getVulnStatus().toUpperCase().startsWith("REJECT")) {
+            if (cve.getCve().getVulnStatus() != null && cve.getCve().getVulnStatus().toUpperCase().startsWith("REJECT")) {
                 deleteVulnerability(cveId);
             } else {
                 if (cveItemConverter.testCveCpeStartWithFilter(cve)) {
