fix: crash when analyzing node package with a local dependency #5235
Conversation
Issue jeremylong#1947 When a package has a local dependency, the package-lock.json file contains an entry without a version number, with "link": "true". This lack of version attribute causes the NodePackageAnalyzer class to crash. These entries should be skipped instead as they cannot be processed.
rturner-edjuster
changed the title
core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
Show resolved
Hide resolved
|
@jeremylong Let me know if there is anything else I can do on this? (like update to merge in latest master, etc). |
|
Thanks! The change is good as is - I'm just debating on the release schedule. I'll likely put in one more release before 8.0.0. |
rturner-edjuster
deleted the
bugfix/issue-1947-fix-crash-for-local-packages
branch
|
@jeremylong I would consider this for a patch -- it's pretty debilitating. We've had to completely disable use of DependencyCheck until it's resolved (largely in combination with the need for the fix for the field length + data issue that you released a fix for recently). |
|
Seconded regarding the patch release – we were caught between a rock and a hard place because we needed the 7.4.4 fix for using DependencyCheck at all and then had to disable the Node package analyzer or we would have had no dependency check at all. |
Fixes Issue #1947
Description of Change
When a package has a local dependency, the package-lock.json file contains an entry without a version number, with "link": "true". This lack of version attribute causes the NodePackageAnalyzer class to crash.
These entries should be skipped instead as they cannot be processed.
Have test cases been added to cover the new functionality?
yes