fix(node): Do not crash on projects that do not set a version

The originally linked and newly linked NPM docs are somewhat contradictory in this regard, but actual tests show that local NPM projects indeed do not need to have a version set in order for `npm install` / `npm ci` to work, so avoid ORT crashing with a `NullPointerException` in this case. For now, only address the issue for a missing `version` field by falling back to "0.0.0" which should never be used for a package with a real (semantic) version. The version must be set to something non-empty to satisfy the `require()` statement in line 393. A future improvement should also handle a missing `name` field and fall back to a project name derived from the project's path (and probably other properties). However, that should be done consistently for all package managers via a global helper function. Signed-off-by: Sebastian Schuberth <[email protected]>
oss-review-toolkit · Dec 5, 2023 · 8e1ec1d · 8e1ec1d
1 parent eb93dd5
commit 8e1ec1d
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 4 deletions.
diff --git a/plugins/package-managers/node/src/main/kotlin/Npm.kt b/plugins/package-managers/node/src/main/kotlin/Npm.kt
@@ -59,6 +59,7 @@ import org.ossreviewtoolkit.model.orEmpty
 import org.ossreviewtoolkit.model.readTree
 import org.ossreviewtoolkit.model.readValue
 import org.ossreviewtoolkit.model.utils.DependencyGraphBuilder
+import org.ossreviewtoolkit.plugins.packagemanagers.node.utils.NON_EXISTING_SEMVER
 import org.ossreviewtoolkit.plugins.packagemanagers.node.utils.NodePackageManager
 import org.ossreviewtoolkit.plugins.packagemanagers.node.utils.NpmDependencyHandler
 import org.ossreviewtoolkit.plugins.packagemanagers.node.utils.NpmDetection
@@ -297,12 +298,16 @@ open class Npm(
 
         logger.debug { "Found a 'package.json' file in '$packageDir'." }
 
-        // The "name" and "version" are the only required fields, see:
-        // https://docs.npmjs.com/creating-a-package-json-file#required-name-and-version-fields
         val json = packageFile.readValue<ObjectNode>()
-        val rawName = json["name"].textValue()
+
+        // The "name" and "version" fields are only required if the package is going to be published, otherwise they are
+        // optional, see
+        // - https://docs.npmjs.com/cli/v10/configuring-npm/package-json#name
+        // - https://docs.npmjs.com/cli/v10/configuring-npm/package-json#version
+        // So, projects analyzed by ORT might not have these fields set.
+        val rawName = json["name"].textValue() // TODO: Fall back to a generated name if the name is unset.
         val (namespace, name) = splitNpmNamespaceAndName(rawName)
-        val version = json["version"].textValue()
+        val version = json["version"]?.textValue() ?: NON_EXISTING_SEMVER
 
         val declaredLicenses = parseNpmLicenses(json)
         val authors = parseNpmAuthors(json)

diff --git a/plugins/package-managers/node/src/main/kotlin/utils/NpmSupport.kt b/plugins/package-managers/node/src/main/kotlin/utils/NpmSupport.kt
@@ -28,6 +28,8 @@ import org.ossreviewtoolkit.utils.common.textValueOrEmpty
 import org.ossreviewtoolkit.utils.common.toUri
 import org.ossreviewtoolkit.utils.spdx.SpdxConstants
 
+internal const val NON_EXISTING_SEMVER = "0.0.0"
+
 /**
  * Expand an NPM shortcut [url] to a regular URL as used for dependencies, see
  * https://docs.npmjs.com/cli/v7/configuring-npm/package-json#urls-as-dependencies.