NullPointerException in Semver for alternative NPM versions

[ssams]

Describe the bug
Follow-up to #5128, seems not to be fully fixed yet: I receive a NullPointerException from the NodePackageAnalyzer when analyzing a package-lock.json. Exception message does slightly differ from the trace in the linked earlier issue though:

[WARN] An unexpected error occurred during analysis of '/src/package-lock.json' (Node.js Package Analyzer): Cannot invoke "String.isEmpty()" because "string" is null
[ERROR] 
java.lang.NullPointerException: Cannot invoke "String.isEmpty()" because "string" is null
        at org.semver4j.Range$RangeOperator.value(Range.java:138)
        at org.semver4j.RangesListFactory.addRanges(RangesListFactory.java:53)
        at org.semver4j.RangesListFactory.create(RangesListFactory.java:26)
        at org.semver4j.Semver.satisfies(Semver.java:445)
        at org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer.npmVersionsMatch(DependencyBundlingAnalyzer.java:628)
        at org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer.findDependency(AbstractNpmAnalyzer.java:296)
        at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.processDependencies(NodePackageAnalyzer.java:454)
        at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.processDependencies(NodePackageAnalyzer.java:402)
        at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.analyzeDependency(NodePackageAnalyzer.java:270)
        at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        at java.base/java.lang.Thread.run(Thread.java:833)

Version of dependency-check used
latest main as of writing -> e84cb80 (run via the CLI within a container, using the included Dockerfile)

To Reproduce

Adding a few quick debug logs in DependencyBundlingAnalyzer shows that in my current/specific case npmVersionsMatch is invoked with arguments current = "^14.14.20 || ^16.0.0" and next = "18.11.5", which seems to originate from the following snippet in the package-lock.json:

    "@storybook/angular": {
      "version": "6.5.13",
      // ...
      "requires": {
        // ...
        "@types/node": "^14.14.20 || ^16.0.0",

Similar to jeremylong/DependencyCheck#5128 (comment), this seems to be sufficient to trigger the NPE:

Semver semver = new Semver("18.11.5");
System.out.println(semver.satisfies("^14.14.20 || ^16.0.0"));

Note

Based on the comment in the code I'm not sure if the check in https://github.com/jeremylong/DependencyCheck/blob/e84cb804aa1510bd50515ad600fec2034decabd6/core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java#L616-L617 should be also preventing this, if so it doesn't catch this specific parameter combination as the next version doesn't include a space.

[jeremylong]

This will be fixed when the next version of semver4j is released. They have already resolved the issue - see: semver4j/semver4j#116

[alexdu98]

The error is still present.
I use owasp/dependency-check:latest.

Using docker image sha256:0f756bf21362c9c25eb0137049bd7381d125a6e43347ec4faf87859f491c6763 for owasp/dependency-check:latest with digest owasp/dependency-check@sha256:ffa0ce146e1ec236920a6e2db3bb4b93eff3eff9c15b0cdf8cd18824139e98b0 ...
[WARN] An unexpected error occurred during analysis of '/builds/.../package-lock.json' (Node.js Package Analyzer): Cannot invoke "String.isEmpty()" because "string" is null
[ERROR] 
java.lang.NullPointerException: Cannot invoke "String.isEmpty()" because "string" is null
	at org.semver4j.Range$RangeOperator.value(Range.java:138)
	at org.semver4j.RangesListFactory.addRanges(RangesListFactory.java:61)
	at org.semver4j.RangesListFactory.create(RangesListFactory.java:29)
	at org.semver4j.Semver.satisfies(Semver.java:445)
	at org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer.npmVersionsMatch(DependencyBundlingAnalyzer.java:628)
	at org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer.findDependency(AbstractNpmAnalyzer.java:296)
	at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.processDependencies(NodePackageAnalyzer.java:454)
	at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.processDependencies(NodePackageAnalyzer.java:402)
	at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.analyzeDependency(NodePackageAnalyzer.java:2[70](https://...#L70))
	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:[83](https://...#L83)3)

[Redirts]

I am observing the same error with the latest version 7.4.2

[DependencyCheck] [INFO] Analysis Started
[DependencyCheck] [INFO] Finished File Name Analyzer (0 seconds)
[DependencyCheck] [WARN] dependency skipped: node module fsevents seems optional and not installed
[DependencyCheck] [WARN] An unexpected error occurred during analysis of '/var/jenkins_home/workspace/xxx/package-lock.json' (Node.js Package Analyzer): null
[DependencyCheck] [ERROR] 
[DependencyCheck] java.lang.NullPointerException: null
[DependencyCheck] 	at org.semver4j.Range$RangeOperator.value(Range.java:138)
[DependencyCheck] 	at org.semver4j.RangesListFactory.addRanges(RangesListFactory.java:61)
[DependencyCheck] 	at org.semver4j.RangesListFactory.create(RangesListFactory.java:29)
[DependencyCheck] 	at org.semver4j.Semver.satisfies(Semver.java:445)
[DependencyCheck] 	at org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer.npmVersionsMatch(DependencyBundlingAnalyzer.java:628)
[DependencyCheck] 	at org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer.findDependency(AbstractNpmAnalyzer.java:296)
[DependencyCheck] 	at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.processDependencies(NodePackageAnalyzer.java:454)
[DependencyCheck] 	at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.processDependencies(NodePackageAnalyzer.java:402)
[DependencyCheck] 	at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.analyzeDependency(NodePackageAnalyzer.java:270)
[DependencyCheck] 	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
[DependencyCheck] 	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
[DependencyCheck] 	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
[DependencyCheck] 	at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
[DependencyCheck] 	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
[DependencyCheck] 	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
[DependencyCheck] 	at java.base/java.lang.Thread.run(Unknown Source)
[DependencyCheck] [INFO] Finished Node.js Package Analyzer (7 seconds)
[DependencyCheck] [INFO] Finished Dependency Merging Analyzer (1 seconds)
[DependencyCheck] [INFO] Finished Version Filter Analyzer (0 seconds)
[DependencyCheck] [INFO] Finished Hint Analyzer (0 seconds)
[DependencyCheck] [INFO] Created CPE Index (4 seconds)
[DependencyCheck] [INFO] Finished CPE Analyzer (10 seconds)
[DependencyCheck] [INFO] Finished False Positive Analyzer (0 seconds)
[DependencyCheck] [INFO] Finished NVD CVE Analyzer (0 seconds)
[DependencyCheck] [INFO] Finished Node Audit Analyzer (2 seconds)
[DependencyCheck] [INFO] Finished RetireJS Analyzer (16 seconds)
[DependencyCheck] [INFO] Finished Sonatype OSS Index Analyzer (10 seconds)
[DependencyCheck] [INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[DependencyCheck] [INFO] Finished Dependency Bundling Analyzer (26 seconds)
[DependencyCheck] [INFO] Finished Unused Suppression Rule Analyzer (0 seconds)
[DependencyCheck] [INFO] Analysis Complete (75 seconds)
[DependencyCheck] [INFO] Writing report to: /var/jenkins_home/workspace/xxx/./dependency-check-report.json
[DependencyCheck] [INFO] Writing report to: /var/jenkins_home/workspace/xxx/./dependency-check-report.xml
ERROR: Mark build as failed because of exit code 242

[piotrooo]

@jeremylong @Redirts and @alexdu98 indeed there was a problem with ranges parsing. I fixed it in 4.1.1, hope it's help. Version is already released, should be available soon.