From 2d7a916b132ca6f9ab2110fb38555b3a42cd1b94 Mon Sep 17 00:00:00 2001
From: Theauditor <228822721+TheAuditorTool@users.noreply.github.com>
Date: Mon, 13 Apr 2026 02:30:23 +0700
Subject: [PATCH] fix: use classpath constant for commercial average template
 resource lookup (#268)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

BenchmarkScore.java:965 passed scoreCardDir (a java.io.File representing
the filesystem output directory) to getResourceAsStream(), which expects a
classpath resource path. With the default config (resultsfileordir: "results"),
File.toString() accidentally produces "scorecard" — matching the classpath
prefix. But any nested resultsfileordir path (e.g. "some/dir/results") causes
getParent() to return a non-null prefix, producing an invalid classpath like
"some/dir/scorecard/commercialAveTemplate.html", which resolves to null and
throws NullPointerException.

Fix: use the SCORECARDDIRNAME constant ("scorecard"), consistent with
ToolReport.java:64 and the vulntemplate loading at line 910.
---
 .../owasp/benchmarkutils/score/BenchmarkScore.java |  2 +-
 .../benchmarkutils/score/BenchmarkScoreTest.java   | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/BenchmarkScore.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/BenchmarkScore.java
index ca832fad..68f9f695 100644
--- a/plugin/src/main/java/org/owasp/benchmarkutils/score/BenchmarkScore.java
+++ b/plugin/src/main/java/org/owasp/benchmarkutils/score/BenchmarkScore.java
@@ -962,7 +962,7 @@ private static void generateVulnerabilityScorecards(
                                         + commercialAveragesTable.filename());
                 // Resources in a jar file have to be loaded as streams. Not directly as Files.
                 InputStream vulnTemplateStream =
-                        CL.getResourceAsStream(scoreCardDir + "/commercialAveTemplate.html");
+                        CL.getResourceAsStream(SCORECARDDIRNAME + "/commercialAveTemplate.html");
                 String html = IOUtils.toString(vulnTemplateStream, StandardCharsets.UTF_8);
                 html = html.replace("${testsuite}", BenchmarkScore.TESTSUITENAME.fullName());
                 html = html.replace("${version}", TESTSUITEVERSION);
diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/BenchmarkScoreTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/BenchmarkScoreTest.java
index bc1989cc..129cf81f 100644
--- a/plugin/src/test/java/org/owasp/benchmarkutils/score/BenchmarkScoreTest.java
+++ b/plugin/src/test/java/org/owasp/benchmarkutils/score/BenchmarkScoreTest.java
@@ -18,9 +18,11 @@
 package org.owasp.benchmarkutils.score;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
 import java.io.PrintStream;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
@@ -109,4 +111,16 @@ void throwsExceptionAndInformsAboutUsageOnTwoElementsArraySecondNull() {
 
         expectUsageMessage();
     }
+
+    @Test
+    void commercialAveTemplateResolvesViaClasspathConstant() {
+        String resourcePath =
+                BenchmarkScore.SCORECARDDIRNAME + "/commercialAveTemplate.html";
+        InputStream stream =
+                BenchmarkScore.class.getClassLoader().getResourceAsStream(resourcePath);
+
+        assertNotNull(
+                stream,
+                "commercialAveTemplate.html must be loadable via SCORECARDDIRNAME classpath lookup");
+    }
 }