Affected version: 4.0.0-beta-5+
Description:
BuildHelper.getPlugin() at line 86 calls model.getBuild() twice:
public static Plugin getPlugin(Model model, String pluginGa) {
Plugin plugin = getPlugin(model.getBuild(), pluginGa);
if (model.getBuild() != null && plugin == null) {
plugin = getPlugin(model.getBuild().getPluginManagement(), pluginGa);
}
return plugin;
}
If the model is backed by a lazy-loading or mutable proxy, the two calls could return different values — e.g., the first returns null, the second returns a non-null Build. In that case, the null guard at line 87 passes, but then the non-null Build could have a PluginManagement that gets queried. Conversely, if the first call returns a non-null Build and the second returns null, line 88 would NPE on model.getBuild().getPluginManagement().
Impact: Low likelihood but a correctness concern. The result should be captured in a local variable.
Affected version: 4.0.0-beta-5+
Description:
BuildHelper.getPlugin()at line 86 callsmodel.getBuild()twice:If the model is backed by a lazy-loading or mutable proxy, the two calls could return different values — e.g., the first returns
null, the second returns a non-null Build. In that case, the null guard at line 87 passes, but then the non-null Build could have aPluginManagementthat gets queried. Conversely, if the first call returns a non-null Build and the second returns null, line 88 would NPE onmodel.getBuild().getPluginManagement().Impact: Low likelihood but a correctness concern. The result should be captured in a local variable.