From 8e1ec1d77289fe8c9f20c8339eb9d4399643c50f Mon Sep 17 00:00:00 2001 From: Sebastian Schuberth Date: Mon, 4 Dec 2023 16:03:01 +0100 Subject: [PATCH] fix(node): Do not crash on projects that do not set a version The originally linked and newly linked NPM docs are somewhat contradictory in this regard, but actual tests show that local NPM projects indeed do not need to have a version set in order for `npm install` / `npm ci` to work, so avoid ORT crashing with a `NullPointerException` in this case. For now, only address the issue for a missing `version` field by falling back to "0.0.0" which should never be used for a package with a real (semantic) version. The version must be set to something non-empty to satisfy the `require()` statement in line 393. A future improvement should also handle a missing `name` field and fall back to a project name derived from the project's path (and probably other properties). However, that should be done consistently for all package managers via a global helper function. Signed-off-by: Sebastian Schuberth --- .../package-managers/node/src/main/kotlin/Npm.kt | 13 +++++++++---- .../node/src/main/kotlin/utils/NpmSupport.kt | 2 ++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/plugins/package-managers/node/src/main/kotlin/Npm.kt b/plugins/package-managers/node/src/main/kotlin/Npm.kt index 8a6c5e892a3f6..4a4f890958ad9 100644 --- a/plugins/package-managers/node/src/main/kotlin/Npm.kt +++ b/plugins/package-managers/node/src/main/kotlin/Npm.kt @@ -59,6 +59,7 @@ import org.ossreviewtoolkit.model.orEmpty import org.ossreviewtoolkit.model.readTree import org.ossreviewtoolkit.model.readValue import org.ossreviewtoolkit.model.utils.DependencyGraphBuilder +import org.ossreviewtoolkit.plugins.packagemanagers.node.utils.NON_EXISTING_SEMVER import org.ossreviewtoolkit.plugins.packagemanagers.node.utils.NodePackageManager import org.ossreviewtoolkit.plugins.packagemanagers.node.utils.NpmDependencyHandler import org.ossreviewtoolkit.plugins.packagemanagers.node.utils.NpmDetection @@ -297,12 +298,16 @@ open class Npm( logger.debug { "Found a 'package.json' file in '$packageDir'." } - // The "name" and "version" are the only required fields, see: - // https://docs.npmjs.com/creating-a-package-json-file#required-name-and-version-fields val json = packageFile.readValue() - val rawName = json["name"].textValue() + + // The "name" and "version" fields are only required if the package is going to be published, otherwise they are + // optional, see + // - https://docs.npmjs.com/cli/v10/configuring-npm/package-json#name + // - https://docs.npmjs.com/cli/v10/configuring-npm/package-json#version + // So, projects analyzed by ORT might not have these fields set. + val rawName = json["name"].textValue() // TODO: Fall back to a generated name if the name is unset. val (namespace, name) = splitNpmNamespaceAndName(rawName) - val version = json["version"].textValue() + val version = json["version"]?.textValue() ?: NON_EXISTING_SEMVER val declaredLicenses = parseNpmLicenses(json) val authors = parseNpmAuthors(json) diff --git a/plugins/package-managers/node/src/main/kotlin/utils/NpmSupport.kt b/plugins/package-managers/node/src/main/kotlin/utils/NpmSupport.kt index 81f4b24b4cf6e..1a8d6ba2b9334 100644 --- a/plugins/package-managers/node/src/main/kotlin/utils/NpmSupport.kt +++ b/plugins/package-managers/node/src/main/kotlin/utils/NpmSupport.kt @@ -28,6 +28,8 @@ import org.ossreviewtoolkit.utils.common.textValueOrEmpty import org.ossreviewtoolkit.utils.common.toUri import org.ossreviewtoolkit.utils.spdx.SpdxConstants +internal const val NON_EXISTING_SEMVER = "0.0.0" + /** * Expand an NPM shortcut [url] to a regular URL as used for dependencies, see * https://docs.npmjs.com/cli/v7/configuring-npm/package-json#urls-as-dependencies.