DependencyCheck: NullPointerException occurred during package-lock.json analyze

Describe the bug java.lang.NullPointerException occurred during analysis of a package-lock.json

Version of dependency-check used 7.0.4

Log file

[INFO] Analysis Started
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (2 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[WARN] The Node Package Analyzer has been disabled; the resulting report will only contain the known vulnerable dependency - not a bill of materials for the node project.
[WARN] An unexpected error occurred during analysis of 'C:\Users\TBATTI~1\AppData\Local\Temp\dctemp39951aff-f90a-4c1e-ab61-f13070969377\check12744923193935695818tmp\1\depcheckFrontend\package-lock.json' (Node Audit Analyzer): Cannot invoke "javax.json.JsonString.getString()" because the return value of "org.glassfish.json.JsonObjectBuilderImpl$JsonObjectImpl.getJsonString(String)" is null
[ERROR]
java.lang.NullPointerException: Cannot invoke "javax.json.JsonString.getString()" because the return value of "org.glassfish.json.JsonObjectBuilderImpl$JsonObjectImpl.getJsonString(String)" is null
        at org.glassfish.json.JsonObjectBuilderImpl$JsonObjectImpl.getString(JsonObjectBuilderImpl.java:257)
        at org.owasp.dependencycheck.data.nodeaudit.NpmPayloadBuilder.lambda$build$5(NpmPayloadBuilder.java:152)
        at java.base/java.util.Collections$UnmodifiableMap$UnmodifiableEntrySet.lambda$entryConsumer$0(Collections.java:1625)
        at java.base/java.util.LinkedHashMap$LinkedEntrySet.forEach(LinkedHashMap.java:708)
        at java.base/java.util.Collections$UnmodifiableMap$UnmodifiableEntrySet.forEach(Collections.java:1630)
        at org.owasp.dependencycheck.data.nodeaudit.NpmPayloadBuilder.build(NpmPayloadBuilder.java:147)
        at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.legacyAnalysis(NodeAuditAnalyzer.java:249)
        at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzeDependency(NodeAuditAnalyzer.java:148)
        at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        at java.base/java.lang.Thread.run(Thread.java:833)
[INFO] Finished Node Audit Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (2 seconds)
[INFO] Writing report to: C:\Users\tbattisti\Desktop\testDepCheckFE\dependency-check-7.0.4-release\dependency-check\.\dependency-check-report.html
[ERROR] Cannot invoke "javax.json.JsonString.getString()" because the return value of "org.glassfish.json.JsonObjectBuilderImpl$JsonObjectImpl.getJsonString(String)" is null

To Reproduce Steps to reproduce the behavior:

Download and unzip dependencyCheck from https://github.com/jeremylong/DependencyCheck/releases/download/v7.0.4/dependency-check-7.0.4-release.zip
Download attacched package-lock.zip
Launch command from cmd bin\dependency-check.bat --disableNodeJS --scan package-lock.zip
See error

About this issue

Original URL
State: closed
Created 2 years ago
Comments: 20 (7 by maintainers)

Commits related to this issue

#4293 Ignore dependency if not associated to any version to prevent NPE when scanning a lock file — committed to nhumblot/DependencyCheck by nhumblot 2 years ago
#4293 Handle dependency with unspecified version — committed to nhumblot/DependencyCheck by nhumblot 2 years ago
Merge pull request #4299 from nhumblot/4293-fix-npe #4293 Handle dependency with unspecified version to prevent NPE when scanning a lock file — committed to jeremylong/DependencyCheck by jeremylong 2 years ago

Most upvoted comments

I’m seeing the same issue in 7.4.0.

[INFO] Finished Assembly Analyzer (0 seconds)
[WARN] An unexpected error occurred during analysis of 'D:\DFN_BuildAgent_2\_work\193\s\Source\package-lock.json' (Node.js Package Analyzer): null
[ERROR] 
java.lang.NullPointerException: null
	at org.glassfish.json.JsonObjectBuilderImpl$JsonObjectImpl.getString(JsonObjectBuilderImpl.java:257)
	at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.processDependencies(NodePackageAnalyzer.java:383)
	at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.analyzeDependency(NodePackageAnalyzer.java:270)
	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)
[INFO] Finished Node.js Package Analyzer (0 seconds)

pk27734 on Dec 5, 2022

Sorry for commenting on a closed issue. I see this error in 7.4.0

[WARNING] An unexpected error occurred during analysis of '<path>/package-lock.json' (Node.js Package Analyzer): Cannot invoke "javax.json.JsonString.getString()" because the return value of "org.glassfish.json.JsonObjectBuilderImpl$JsonObjectImpl.getJsonString(String)" is null [ERROR] java.lang.NullPointerException: Cannot invoke "javax.json.JsonString.getString()" because the return value of "org.glassfish.json.JsonObjectBuilderImpl$JsonObjectImpl.getJsonString(String)" is null at org.glassfish.json.JsonObjectBuilderImpl$JsonObjectImpl.getString (JsonObjectBuilderImpl.java:257) at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.processDependencies (NodePackageAnalyzer.java:383) at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.analyzeDependency (NodePackageAnalyzer.java:270) at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131) at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88) at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37) at java.util.concurrent.FutureTask.run (FutureTask.java:264) at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1136) at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:635) at java.lang.Thread.run (Thread.java:833)

Do you want me to open a new issue?

johanhammar on Dec 5, 2022

NPE still present in 8.0.0 😢

 [WARN] An unexpected error occurred during analysis of '/mnt/data/jenkins-node/workspace/<my_project>/<my_project>_dep_check/frontend/package-lock.json' (Node.js Package Analyzer): null
 [ERROR] 
 java.lang.NullPointerException: null
 	at org.glassfish.json.JsonObjectBuilderImpl$JsonObjectImpl.getString(JsonObjectBuilderImpl.java:257)
 	at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.processDependencies(NodePackageAnalyzer.java:397)
 	at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.analyzeDependency(NodePackageAnalyzer.java:270)
 	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
 	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
 	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
 	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
 	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
 	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
 	at java.base/java.lang.Thread.run(Thread.java:834)
 [INFO] Finished Node.js Package Analyzer (0 seconds)

uwesinha on Jan 16, 2023

Yep, getting it too for a linked folder (as posted about in #1947), I get it on projects with linked packages.

“node_modules/utils”: { “resolved”: “packages/utils”, “link”: true },

Does anyone know how to avoid the error? It scans all the dependencies, but the exception is always logged and makes you wonder whether it missed some dependencies.

Jmaharman on Jan 5, 2023

Same in version 7.4.1:

[ERROR] Cannot invoke "javax.json.JsonString.getString()" because the return value of "org.glassfish.json.JsonObjectBuilderImpl$JsonObjectImpl.getJsonString(String)" is null

wangel13 on Dec 15, 2022

NPE is triggered because of the following object inside the dependencies object:

    "node_modules/jest-resolve": {
      "dev": true,
      "optional": true,
      "peer": true
    },

These objects, if not containing a version field, should be ignored to prevent a NPE.

I am currently working on a fix. I will open a PR.

nhumblot on Apr 1, 2022