jeremylong · jeremylong · Nov 23, 2022 · Nov 21, 2022
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
@@ -92,6 +92,10 @@ public class NodePackageAnalyzer extends AbstractNpmAnalyzer {
      * The file name to scan.
      */
     public static final String SHRINKWRAP_JSON = "npm-shrinkwrap.json";
+    /**
+     * The name of the directory that contains node modules
+     */
+    public static final String NODE_MODULES_DIRNAME = "node_modules";
     /**
      * Filter that detects files named "package.json", "package-lock.json", or
      * "npm-shrinkwrap.json".
@@ -303,6 +307,13 @@ public static boolean shouldSkipDependency(String name, String version, boolean
                     name, version);
             return true;
         }
+
+        // Don't include package with empty name
+        if ("".equals(name)) {
+            LOGGER.debug("Empty dependency of package-lock v2+ removed");
+            return true;
+        }
+
         return false;
     }
 
@@ -334,16 +345,36 @@ public static boolean shouldSkipDependency(String name, String version) {
      */
     private void processDependencies(JsonObject json, File baseDir, File rootFile,
             String parentPackage, Engine engine) throws AnalysisException {
-        if (json.containsKey("dependencies")) {
-            final JsonObject deps = json.getJsonObject("dependencies");
-            final boolean skipDev = getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_SKIPDEV, false);
+          final boolean skipDev = getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_SKIPDEV, false);
+          final JsonObject deps;
+
+          final int lockJsonVersion = json.containsKey("lockfileVersion") ? json.getInt("lockfileVersion") : 1;
+          if (lockJsonVersion >= 2) {
+            deps = json.getJsonObject("packages");
+          } else if (json.containsKey("dependencies")) {
+            deps = json.getJsonObject("dependencies");
+          } else {
+            deps = null;
+          }
+
+          if (deps != null) {
             for (Map.Entry<String, JsonValue> entry : deps.entrySet()) {
-                final String name = entry.getKey();
+                String pathName = entry.getKey();
+                String name = pathName;
+                final File base;
+
+                final int indexOfNodeModule = name.lastIndexOf(NODE_MODULES_DIRNAME);
+                if (indexOfNodeModule >= 0) {
+                    name = name.substring(indexOfNodeModule + NODE_MODULES_DIRNAME.length() + 1);
+                    base = Paths.get(baseDir.getPath(), pathName).toFile();
+                } else {
+                    base = Paths.get(baseDir.getPath(), "node_modules", name).toFile();
+                }
+
                 final String version;
                 boolean optional = false;
                 boolean isDev = false;
 
-                final File base = Paths.get(baseDir.getPath(), "node_modules", name).toFile();
                 final File f = new File(base, PACKAGE_JSON);
                 JsonObject jo = null;
 

diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nodeaudit/NpmPayloadBuilder.java b/core/src/main/java/org/owasp/dependencycheck/data/nodeaudit/NpmPayloadBuilder.java
@@ -40,7 +40,6 @@
  */
 @ThreadSafe
 public final class NpmPayloadBuilder {
-
     /**
      * Private constructor for utility class.
      */
@@ -102,9 +101,19 @@ public static JsonObject build(JsonObject lockJson, JsonObject packageJson,
         payloadBuilder.add("requires", requiresBuilder.build());
 
         final JsonObjectBuilder dependenciesBuilder = Json.createObjectBuilder();
-        final JsonObject dependencies = lockJson.getJsonObject("dependencies");
+        final int lockJsonVersion = lockJson.containsKey("lockfileVersion") ? lockJson.getInt("lockfileVersion") : 1;
+        JsonObject dependencies = lockJson.getJsonObject("dependencies");
+        if (lockJsonVersion >= 2 && dependencies == null) {
+            dependencies = lockJson.getJsonObject("packages");
+        }
+
         if (dependencies != null) {
             dependencies.forEach((key, value) -> {
+                final int indexOfNodeModule = key.lastIndexOf(NodePackageAnalyzer.NODE_MODULES_DIRNAME);
+                if (indexOfNodeModule >= 0) {
+                    key = key.substring(indexOfNodeModule + NodePackageAnalyzer.NODE_MODULES_DIRNAME.length() + 1);
+                }
+
                 final JsonObject dep = ((JsonObject) value);
                 final String version = dep.getString("version");
                 final boolean isDev = dep.getBoolean("dev", false);
@@ -240,9 +249,22 @@ private static JsonObject buildDependencies(JsonObject dep, MultiValuedMap<Strin
         if (dep.containsKey("dependencies")) {
             final JsonObjectBuilder dependeciesBuilder = Json.createObjectBuilder();
             dep.getJsonObject("dependencies").forEach((key, value) -> {
-                final String v = ((JsonObject) value).getString("version");
-                dependencyMap.put(key, v);
-                dependeciesBuilder.add(key, buildDependencies((JsonObject) value, dependencyMap));
+                if (value.getValueType() == JsonValue.ValueType.OBJECT) {
+                    final JsonObject currentDep = (JsonObject) value;
+                    final String v = currentDep.getString("version");
+                    dependencyMap.put(key, v);
+                    dependeciesBuilder.add(key, buildDependencies(currentDep, dependencyMap));
+                } else {
+                    final String tmp = value.toString();
+                    final String v;
+                    if (tmp.startsWith("\"")) {
+                        v = tmp.substring(1, tmp.length() - 1);
+                    } else {
+                        v = tmp;
+                    }
+                    dependencyMap.put(key, v);
+                    dependeciesBuilder.add(key, v);
+                }
             });
             depBuilder.add("dependencies", dependeciesBuilder.build());
         }

diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java
@@ -267,4 +267,46 @@ public void testWithoutLock() throws AnalysisException, InvalidSettingException
         //final boolean isMac = !System.getProperty("os.name").toLowerCase().contains("mac");
         assertEquals("Expected 1 dependencies", 1, engine.getDependencies().length);
     }
+
+    /**
+     * Test of inspect method for package-lock v2
+     *
+     * @throws AnalysisException is thrown when an exception occurs.
+     */
+    @Test
+    public void testPackageLockV2() throws AnalysisException, InvalidSettingException {
+        Assume.assumeThat(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED), is(true));
+        Assume.assumeThat(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED), is(true));
+        final Dependency packageJson = new Dependency(BaseTest.getResourceAsFile(this,
+                "nodejs/test_lockv2/package.json"));
+        final Dependency packageLockJson = new Dependency(BaseTest.getResourceAsFile(this,
+                "nodejs/test_lockv2/package-lock.json"));
+        engine.addDependency(packageJson);
+        engine.addDependency(packageLockJson);
+        analyzer.analyze(packageJson, engine);
+        assertEquals("Expected 1 dependencies", 1, engine.getDependencies().length);
+        analyzer.analyze(packageLockJson, engine);
+        assertEquals("Expected 1 dependencies", 6, engine.getDependencies().length);
+    }
+
+    /**
+     * Test of inspect method for package-lock v3
+     *
+     * @throws AnalysisException is thrown when an exception occurs.
+     */
+    @Test
+    public void testPackageLockV3() throws AnalysisException, InvalidSettingException {
+        Assume.assumeThat(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED), is(true));
+        Assume.assumeThat(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED), is(true));
+        final Dependency packageJson = new Dependency(BaseTest.getResourceAsFile(this,
+                "nodejs/test_lockv3/package.json"));
+        final Dependency packageLockJson = new Dependency(BaseTest.getResourceAsFile(this,
+                "nodejs/test_lockv3/package-lock.json"));
+        engine.addDependency(packageJson);
+        engine.addDependency(packageLockJson);
+        analyzer.analyze(packageJson, engine);
+        assertEquals("Expected 1 dependencies", 1, engine.getDependencies().length);
+        analyzer.analyze(packageLockJson, engine);
+        assertEquals("Expected 1 dependencies", 6, engine.getDependencies().length);
+    }
 }
diff --git a/core/src/test/resources/nodejs/test_lockv2/node_modules/is-buffer/LICENSE b/core/src/test/resources/nodejs/test_lockv2/node_modules/is-buffer/LICENSE
diff --git a/core/src/test/resources/nodejs/test_lockv2/node_modules/is-buffer/package.json b/core/src/test/resources/nodejs/test_lockv2/node_modules/is-buffer/package.json
diff --git a/core/src/test/resources/nodejs/test_lockv2/node_modules/is-number/LICENSE b/core/src/test/resources/nodejs/test_lockv2/node_modules/is-number/LICENSE
diff --git a/core/src/test/resources/nodejs/test_lockv2/node_modules/is-number/package.json b/core/src/test/resources/nodejs/test_lockv2/node_modules/is-number/package.json
diff --git a/core/src/test/resources/nodejs/test_lockv2/node_modules/isarray/package.json b/core/src/test/resources/nodejs/test_lockv2/node_modules/isarray/package.json
diff --git a/core/src/test/resources/nodejs/test_lockv2/node_modules/isobject/LICENSE b/core/src/test/resources/nodejs/test_lockv2/node_modules/isobject/LICENSE