Skip to content

NullPointerException in Semver for hyphenated NPM version matches #5128

Closed
#5135
Closed
NullPointerException in Semver for hyphenated NPM version matches#5128
#5135
Labels
bug
@dnorton

Description

@dnorton
dnorton
opened on Dec 8, 2022

Describe the bug
As of the 7.4.0 release of DependencyCheck, we are encountering a NullPointerException in the NodePackageAnalyzer when the match range has a hyphen.

This is the exception I get in dependency-check when I run it against my node repository:

[WARN] An unexpected error occurred during analysis of '<redacted_path>/package-lock.json' (Node.js Package Analy
[ERROR]
java.lang.NullPointerException: Cannot invoke "String.trim()" because "value" is null
	at com.vdurmont.semver4j.Semver.<init>(Semver.java:26)
	at com.vdurmont.semver4j.Requirement.hyphenRequirement(Requirement.java:487)
	at com.vdurmont.semver4j.Requirement.evaluateReversePolishNotation(Requirement.java:338)
	at com.vdurmont.semver4j.Requirement.evaluateReversePolishNotation(Requirement.java:371)
	at com.vdurmont.semver4j.Requirement.buildWithTokenizer(Requirement.java:138)
	at com.vdurmont.semver4j.Requirement.buildNPM(Requirement.java:112)
	at com.vdurmont.semver4j.Semver.satisfies(Semver.java:167)
	at org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer.npmVersionsMatch(DependencyBundlingAnalyzer.java:629)
	at org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer.findDependency(AbstractNpmAnalyzer.java:297)
	at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.processDependencies(NodePackageAnalyzer.java:448)
	at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.processDependencies(NodePackageAnalyzer.java:396)
	at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.analyzeDependency(NodePackageAnalyzer.java:270)

I know this isn't specifically a bug in DependencyCheck, but it is causing failures in our CI process.
see: vdurmont/semver4j#63

Version of dependency-check used
version 7.4.0

To Reproduce

This class throws a NPE

import com.vdurmont.semver4j.Semver;
public class Main {
    public static void main(String[] args) {
        Semver semver = new Semver("3.1.4", Semver.SemverType.NPM);
        System.out.println(semver.satisfies("^2.9.12 || ^3.0.0-0"));
    }
}

This returns true

$ node                           
Welcome to Node.js v18.8.0.
Type ".help" for more information.
> const semver = require('semver');
undefined
> semver.satisfies('3.1.4', '^2.9.12 || ^3.0.0-0');
true

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions