NullPointerException occurred during package-lock.json analyze

[tbattisti]

Describe the bug
java.lang.NullPointerException occurred during analysis of a package-lock.json

Version of dependency-check used
7.0.4

Log file

[INFO] Analysis Started
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (2 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[WARN] The Node Package Analyzer has been disabled; the resulting report will only contain the known vulnerable dependency - not a bill of materials for the node project.
[WARN] An unexpected error occurred during analysis of 'C:\Users\TBATTI~1\AppData\Local\Temp\dctemp39951aff-f90a-4c1e-ab61-f13070969377\check12744923193935695818tmp\1\depcheckFrontend\package-lock.json' (Node Audit Analyzer): Cannot invoke "javax.json.JsonString.getString()" because the return value of "org.glassfish.json.JsonObjectBuilderImpl$JsonObjectImpl.getJsonString(String)" is null
[ERROR]
java.lang.NullPointerException: Cannot invoke "javax.json.JsonString.getString()" because the return value of "org.glassfish.json.JsonObjectBuilderImpl$JsonObjectImpl.getJsonString(String)" is null
        at org.glassfish.json.JsonObjectBuilderImpl$JsonObjectImpl.getString(JsonObjectBuilderImpl.java:257)
        at org.owasp.dependencycheck.data.nodeaudit.NpmPayloadBuilder.lambda$build$5(NpmPayloadBuilder.java:152)
        at java.base/java.util.Collections$UnmodifiableMap$UnmodifiableEntrySet.lambda$entryConsumer$0(Collections.java:1625)
        at java.base/java.util.LinkedHashMap$LinkedEntrySet.forEach(LinkedHashMap.java:708)
        at java.base/java.util.Collections$UnmodifiableMap$UnmodifiableEntrySet.forEach(Collections.java:1630)
        at org.owasp.dependencycheck.data.nodeaudit.NpmPayloadBuilder.build(NpmPayloadBuilder.java:147)
        at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.legacyAnalysis(NodeAuditAnalyzer.java:249)
        at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzeDependency(NodeAuditAnalyzer.java:148)
        at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        at java.base/java.lang.Thread.run(Thread.java:833)
[INFO] Finished Node Audit Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (2 seconds)
[INFO] Writing report to: C:\Users\tbattisti\Desktop\testDepCheckFE\dependency-check-7.0.4-release\dependency-check\.\dependency-check-report.html
[ERROR] Cannot invoke "javax.json.JsonString.getString()" because the return value of "org.glassfish.json.JsonObjectBuilderImpl$JsonObjectImpl.getJsonString(String)" is null

To Reproduce
Steps to reproduce the behavior:

1. Download and unzip dependencyCheck from https://github.com/jeremylong/DependencyCheck/releases/download/v7.0.4/dependency-check-7.0.4-release.zip
2. Download attacched package-lock.zip
3. Launch command from cmd bin\dependency-check.bat --disableNodeJS --scan package-lock.zip
4. See error

[nhumblot]

NPE is triggered because of the following object inside the dependencies object:

    "node_modules/jest-resolve": {
      "dev": true,
      "optional": true,
      "peer": true
    },

These objects, if not containing a version field, should be ignored to prevent a NPE.

I am currently working on a fix. I will open a PR.

[johanhammar]

Sorry for commenting on a closed issue. I see this error in 7.4.0

[WARNING] An unexpected error occurred during analysis of '<path>/package-lock.json' (Node.js Package Analyzer): Cannot invoke "javax.json.JsonString.getString()" because the return value of "org.glassfish.json.JsonObjectBuilderImpl$JsonObjectImpl.getJsonString(String)" is null [ERROR] java.lang.NullPointerException: Cannot invoke "javax.json.JsonString.getString()" because the return value of "org.glassfish.json.JsonObjectBuilderImpl$JsonObjectImpl.getJsonString(String)" is null at org.glassfish.json.JsonObjectBuilderImpl$JsonObjectImpl.getString (JsonObjectBuilderImpl.java:257) at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.processDependencies (NodePackageAnalyzer.java:383) at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.analyzeDependency (NodePackageAnalyzer.java:270) at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131) at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88) at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37) at java.util.concurrent.FutureTask.run (FutureTask.java:264) at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1136) at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:635) at java.lang.Thread.run (Thread.java:833)

Do you want me to open a new issue?

[pk27734]

I'm seeing the same issue in 7.4.0.

[INFO] Finished Assembly Analyzer (0 seconds)
[WARN] An unexpected error occurred during analysis of 'D:\DFN_BuildAgent_2\_work\193\s\Source\package-lock.json' (Node.js Package Analyzer): null
[ERROR] 
java.lang.NullPointerException: null
	at org.glassfish.json.JsonObjectBuilderImpl$JsonObjectImpl.getString(JsonObjectBuilderImpl.java:257)
	at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.processDependencies(NodePackageAnalyzer.java:383)
	at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.analyzeDependency(NodePackageAnalyzer.java:270)
	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)
[INFO] Finished Node.js Package Analyzer (0 seconds)

[wangel13]

Same in version 7.4.1:

[ERROR] Cannot invoke "javax.json.JsonString.getString()" because the return value of "org.glassfish.json.JsonObjectBuilderImpl$JsonObjectImpl.getJsonString(String)" is null

[uwesinha]

Can confirm: running 7.4.1 from Jenkins gives me exactly the same stack trace as in @pk27734's comment. AFAICS no version-less dependencies in package-lock.json.

[neilime]

@jeremylong the issue seems to still there for many of us, I guess it should be reopened.
Is there any chance to have a fix on it?

Thank you

[Jmaharman]

Yep, getting it too for a linked folder (as posted about in #1947), I get it on projects with linked packages.

"node_modules/utils": {
"resolved": "packages/utils",
"link": true
},

Does anyone know how to avoid the error? It scans all the dependencies, but the exception is always logged and makes you wonder whether it missed some dependencies.