@ sign in npm package-names leads to an exception

[profTwinglings]

Describe the bug
When using dependency check on a package.json and package-lock.json file with a depdency with a @-sign in its name like https://www.npmjs.com/package/@emotion/react
package.json

{
  "name": "test",
  "dependencies": {

    "@types/jest": "^27.4.1",
    "axios": "^0.26.0",
......

Gives:

Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.
exception: org.owasp.dependencycheck.analyzer.exception.SearchException: Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.

I get a successful run if I remove all packages starting with @ or when I use an older node that generates a package-lock.json using version 1.

Version of dependency-check used
Using dependency-check-maven 7.1.0.
Package-lock.json is generated with node v18.0.0

Log file

Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.
exception: org.owasp.dependencycheck.analyzer.exception.SearchException: Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.

org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage(NodeAuditSearch.java:209)
org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage(NodeAuditSearch.java:133)
org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzePackage(NodeAuditAnalyzer.java:189)
org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzeDependency(NodeAuditAnalyzer.java:146)
org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
java.base/java.lang.Thread.run(Thread.java:829)

Full package.json: https://gist.github.com/profTwinglings/51d7dbff3abe771c8ece98659fdbf101
package-lock.json: https://gist.github.com/profTwinglings/fadc6d506b4984245dac0feae9a6ebbe
older package-lock.json with node v14: https://gist.github.com/profTwinglings/ff06bb025fcb7cfaedf6350f9f537ee8
To Reproduce
Run dependency check maven with a package.json that has a package with @ in its name:

 <plugin>
                    <groupId>org.owasp</groupId>
                    <artifactId>dependency-check-maven</artifactId>
                    <version>7.1.0</version>
                    <configuration>
                        <scanSet>
                            <fileSet>
                                <directory>foo</directory>
                                <includes>
                                    <include>package.json</include>
                                    <include>package-lock.json</include>
                                </includes>
                            </fileSet>

Expected behavior
Successful scan

[profTwinglings]

bump

[Szugro2]

Hello, I am having the same problem, any ideas on what to do to solve this?

[nhumblot]

Hello, I have not been able to reproduce your issue. By loading both provided files into a test (as per cb59ad1), I observe an HTTP 200 response from the node audit API.

Do you still observe this issue? If yes, do you observe this issue every time? If you clone the repo, checkout the commit and perform an mvn -s settings.xml verify, are all the tests green? Could you please share the default encoding of your workstation, alongside the encoding of the file generating the issue? What are your npm and node versions?

On my side:

$ node --version
v18.7.0
$ npm --version
8.15.0

[nhumblot]

Related to #3716 & #3717