Null reference exception during a build process - no references on CVE suspected

[dahlsailrunner]

Describe the bug
I got the following build error after I added NuGetDefense to my existing project:

1>C:\Users\dahls\OneDrive\WorkDocs\Pluralsight\SecurityAnalysisAspNetCore\m3\WiredBrain-ASP.NET\WiredBrain.CustomerPortal.AspNet\packages.config(4,4): error : 7 vulnerabilities found for bootstrap @ 3.4.1
1>C:\Users\dahls\OneDrive\WorkDocs\Pluralsight\SecurityAnalysisAspNetCore\m3\WiredBrain-ASP.NET\WiredBrain.CustomerPortal.AspNet\packages.config(4,4): error : CVE-2019-8331: In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
1>  Description: In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
1>  CVE: CVE-2019-8331
1>  CWE: CWE-79
1>  CVSS Score: 6.1
1>  CVSS Vector: NETWORK
1>  References:
1>  Unhandled exception. System.NullReferenceException: Object reference not set to an instance of an object.
1>     at NuGetDefense.Core.VulnerabilityReports.ReportVulnerabilities(Dictionary`2 vulnerabilityDictionary, IEnumerable`1 pkgs, String nuGetFile, Boolean warnOnly, Double cvss3Threshold)
1>     at NuGetDefense.Program.Main(String[] args)
1>C:\Users\dahls\OneDrive\WorkDocs\Pluralsight\SecurityAnalysisAspNetCore\m3\WiredBrain-ASP.NET\packages\NuGetDefense.1.0.4\build\nugetdefense.targets(10,5): error MSB3073: The command "dotnet "C:\Users\dahls\OneDrive\WorkDocs\Pluralsight\SecurityAnalysisAspNetCore\m3\WiredBrain-ASP.NET\packages\NuGetDefense.1.0.4\build\..\tools\netcoreapp3.1\NuGetDefense.dll" C:\Users\dahls\OneDrive\WorkDocs\Pluralsight\SecurityAnalysisAspNetCore\m3\WiredBrain-ASP.NET\WiredBrain.CustomerPortal.AspNet\WiredBrain.CustomerPortal.AspNet.csproj " exited with code -1073741819.
========== Rebuild All: 0 succeeded, 1 failed, 0 skipped ==========

To Reproduce
Steps to reproduce the behavior:

1. Add Boostrap v 3.4.1 to a project as a NuGet package
2. Build the project

Expected behavior
Build should complete without NuGet Defense throwing an exception.

Screenshots
If applicable, add screenshots to help explain your problem.

Tools (please complete the following information):

• IDE: VS 2019 16.5.1
• OS: Win 10 current

Additional context
I strongly suspect the problem is right here in NuGetDefense.Core/VulnerabilityReports.cs:

foreach (var reference in vulnerabilities[cve].References) Console.WriteLine(reference);
Console.WriteLine("---------------------------");

The output above does not show the dashed line, and if References is null that would cause the problem.

On further review, though, checking the NVD (https://nvd.nist.gov/vuln/detail/CVE-2019-8331) shows a lengthy list of references. Maybe something caused a problem parsing them? But I'd rather not throw that exception and be missing the references if the full resolution for this takes some time.

I can submit a PR for the simple change but to test it I may need some guidance / docs.

[digitalcoyote]

I was not able to reproduce this error on Linux Mint 19.3 with .Net Core 3.1 SDK or on Windows with Visual Studio 2019. That being said, I have seen this before in testing an earlier version (wasn't able to reproduce it then either). I think that any field being null should not cause an unhandled exception. I'll have some feedback on the PR tonight. I think I want to handle more cases than just references. It is possible that future vulnerability sources could add or lack fields that are currently expected.

[dahlsailrunner]

Ok cool -- check out my other comment / questions on the PR in Core -- given answers I can add new PR or revise existing one with readme additions. Thanks!

[digitalcoyote]

Should be taken care of in Fix for empty Ref Exception. I'll close this when it's released. Thankyou @dahlsailrunner