@ sign in npm package-names leads to an exception

[profTwinglings]

Describe the bug When using dependency check on a package.json and package-lock.json file with a depdency with a @-sign in its name like https://www.npmjs.com/package/@emotion/react package.json

{
  "name": "test",
  "dependencies": {

    "@types/jest": "^27.4.1",
    "axios": "^0.26.0",
......

Gives:

Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.
exception: org.owasp.dependencycheck.analyzer.exception.SearchException: Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.

I get a successful run if I remove all packages starting with @ or when I use an older node that generates a package-lock.json using version 1.

Version of dependency-check used Using dependency-check-maven 7.1.0. Package-lock.json is generated with node v18.0.0

Log file

Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.
exception: org.owasp.dependencycheck.analyzer.exception.SearchException: Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.

org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage(NodeAuditSearch.java:209)
org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage(NodeAuditSearch.java:133)
org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzePackage(NodeAuditAnalyzer.java:189)
org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzeDependency(NodeAuditAnalyzer.java:146)
org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
java.base/java.lang.Thread.run(Thread.java:829)

Full package.json: https://gist.github.com/profTwinglings/51d7dbff3abe771c8ece98659fdbf101 package-lock.json: https://gist.github.com/profTwinglings/fadc6d506b4984245dac0feae9a6ebbe older package-lock.json with node v14: https://gist.github.com/profTwinglings/ff06bb025fcb7cfaedf6350f9f537ee8 To Reproduce Run dependency check maven with a package.json that has a package with @ in its name:

 <plugin>
                    <groupId>org.owasp</groupId>
                    <artifactId>dependency-check-maven</artifactId>
                    <version>7.1.0</version>
                    <configuration>
                        <scanSet>
                            <fileSet>
                                <directory>foo</directory>
                                <includes>
                                    <include>package.json</include>
                                    <include>package-lock.json</include>
                                </includes>
                            </fileSet>

Expected behavior Successful scan

[profTwinglings]

bump

[Szugro2]

Hello, I am having the same problem, any ideas on what to do to solve this?

[nhumblot]

Hello, I have not been able to reproduce your issue. By loading both provided files into a test (as per cb59ad1f762f62ac0ec0389ba2d691fa5e497338), I observe an HTTP 200 response from the node audit API.

Do you still observe this issue? If yes, do you observe this issue every time? If you clone the repo, checkout the commit and perform an mvn -s settings.xml verify, are all the tests green? Could you please share the default encoding of your workstation, alongside the encoding of the file generating the issue? What are your npm and node versions?

On my side:

$ node --version
v18.7.0
$ npm --version
8.15.0

[nhumblot]

Related to #3716 & #3717