npm package inforamtion without version (#244)

sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/parser/element/Identifier.java

@@ -60,6 +60,7 @@ public static Optional<String> getPackageType(@NonNull Identifier identifier) {
             // pkg:maven/struts/struts@1.2.8 -> maven
             // pkg:javascript/jquery@2.2.0 -> javascript
             // pkg:npm/arr-flatten@1.1.0 -> npm
+            // pkg:npm/mime -> npm
             return Optional.of(StringUtils.substringAfter(StringUtils.substringBefore(identifier.getId(), "/"), "pkg:"));
         }
         return Optional.empty();
@@ -69,6 +70,7 @@ public static Optional<String> getPackageArtifact(@NonNull Identifier identifier
             // pkg:maven/struts/struts@1.2.8 -> struts/struts@1.2.8
             // pkg:javascript/jquery@2.2.0 -> jquery@2.2.0
             // pkg:npm/arr-flatten@1.1.0 -> arr-flatten@1.1.0
+            // pkg:npm/mime -> mime
             return Optional.of(StringUtils.substringAfter(identifier.getId(), "/"));
         }
         return Optional.empty();

sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/reason/NPMDependencyReason.java

@@ -41,6 +41,7 @@
 
 import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
+import edu.umd.cs.findbugs.annotations.Nullable;
 
 public class NPMDependencyReason extends DependencyReason {
 
@@ -99,12 +100,22 @@ public TextRangeConfidence getBestTextRange(Dependency dependency) {
     }
 
     private void fillArtifactMatch(@NonNull Dependency dependency, Identifier npmIdentifier) {
-        Optional<String> packageArtifact = Identifier.getPackageArtifact(npmIdentifier);
-        if (packageArtifact.isPresent()) {
-            // packageArtifact has something like jquery@2.2.0
-            String[] npmIdentifierSplit = packageArtifact.get().split("@");
-            String name = npmIdentifierSplit[0];
-            String version = npmIdentifierSplit[1];
+        String packageArtifact = Identifier.getPackageArtifact(npmIdentifier).orElse(null);
+        if (StringUtils.isNotBlank(packageArtifact)) {
+            String name;
+            String version;
+            if (packageArtifact.contains("@")) {
+                // packageArtifact is something like jquery@2.2.0
+                String[] npmIdentifierSplit = packageArtifact.split("@");
+                name = npmIdentifierSplit[0];
+                version = npmIdentifierSplit[1];
+            } else {
+                // It happens, that packageArtifact doesn't contain a version
+                // https://github.com/dependency-check/dependency-check-sonar-plugin/issues/242#issuecomment-605521827
+                name = packageArtifact;
+                version = null;
+            }
+
             // Try to find in <dependency>
             for (NPMDependency npmDependency : packageLockModel.getDependencies()) {
                 checkNPMDependency(name, version , npmDependency)
@@ -113,7 +124,7 @@ private void fillArtifactMatch(@NonNull Dependency dependency, Identifier npmIde
         }
     }
 
-    private Optional<TextRangeConfidence> checkNPMDependency(String name, String version, NPMDependency dependency) {
+    private Optional<TextRangeConfidence> checkNPMDependency(String name, @Nullable String version, NPMDependency dependency) {
         if (StringUtils.equals(name, dependency.getName())
                 && StringUtils.equals(version, dependency.getVersion())) {
             LOGGER.debug("Found a name and version match in {}", packageLock);

sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/parser/element/IdentifierTest.java

@@ -47,6 +47,16 @@ public void testNode() {
         assertEquals("npm", Identifier.getPackageType(a).get());
     }
 
+    @Test
+    public void testNodeWithOutVersion() {
+        Identifier a = new Identifier("pkg:npm/mime", Confidence.HIGHEST);
+        assertFalse(Identifier.isMavenPackage(a));
+        assertTrue(Identifier.isNPMPackage(a));
+        assertFalse(Identifier.isJavaScriptPackage(a));
+        assertEquals("mime", Identifier.getPackageArtifact(a).get());
+        assertEquals("npm", Identifier.getPackageType(a).get());
+    }
+
     @Test
     public void testJavaScript() {
         Identifier a = new Identifier("pkg:javascript/jquery@2.2.0", Confidence.HIGHEST);

sonar-dependency-check-plugin/src/test/java/org/sonar/dependencycheck/reason/NPMDependencyReasonTest.java

@@ -126,6 +126,26 @@ public void foundDependencyNPMOnlyWithName() throws IOException {
         assertEquals(npm.getBestTextRange(dependency), npm.getBestTextRange(dependency));
     }
 
+    @Test
+    public void foundDependencyNPMWithoutVersion() throws IOException {
+        NPMDependencyReason npm = new NPMDependencyReason(inputFile("package-lock.json"));
+        // Create Dependency
+        Identifier identifier = new Identifier("pkg:npm/arr-flatten", Confidence.HIGHEST);
+        Collection<Identifier> identifiersCollected = new ArrayList<>();
+        identifiersCollected.add(identifier);
+        Dependency dependency = new Dependency(null, null, null, null, Collections.emptyMap(),Collections.emptyList(), identifiersCollected, Collections.emptyList(), null);
+        TextRangeConfidence textRangeConfidence = npm.getBestTextRange(dependency);
+        assertTrue(npm.isReasonable());
+        assertNotNull(textRangeConfidence);
+        assertEquals(7, textRangeConfidence.getTextrange().start().line());
+        assertEquals(0, textRangeConfidence.getTextrange().start().lineOffset());
+        assertEquals(11, textRangeConfidence.getTextrange().end().line());
+        assertEquals(6, textRangeConfidence.getTextrange().end().lineOffset());
+        assertEquals(Confidence.HIGH, textRangeConfidence.getConfidence());
+        // verify that same dependency points to the same TextRange, use of HashMap
+        assertEquals(npm.getBestTextRange(dependency), npm.getBestTextRange(dependency));
+    }
+
     @Test
     public void foundNoDependency() throws IOException {
         NPMDependencyReason npm = new NPMDependencyReason(inputFile("package-lock.json"));