Fix NullReferenceException in NpmLockfileDetectorBase when dependencies object is missing (#1437)

* Initial plan for issue

* Start investigation of NullReferenceException in NpmLockfileDetectorBase

Co-authored-by: jcfiorenzano <[email protected]>

* Fix NullReferenceException in NpmLockfileDetectorBase when dependencies object is missing

- Add null check for dependencies object in ProcessIndividualPackageJTokens method
- Use null conditional operator to safely handle missing dependencies/packages properties
- Add comprehensive test cases for both lockfile v2 (dependencies) and v3 (packages) scenarios
- Ensure backward compatibility and no regression in existing functionality

Resolves issue where package-lock.json files without dependencies/packages properties would cause NullReferenceException when calling .Children<JProperty>() on null JToken.

Co-authored-by: jcfiorenzano <[email protected]>

* Revert global.json SDK version change back to 8.0.408

Co-authored-by: jcfiorenzano <[email protected]>

* Remove TestNpmDetector_PackageLockWithNullDependenciesValue_ShouldHandleGracefully test as requested

Co-authored-by: jcfiorenzano <[email protected]>

* Remove TestNpmDetector_PackageLockWithNullPackagesValue_ShouldHandleGracefully test as requested

Co-authored-by: jcfiorenzano <[email protected]>

* Remove comment as requested

Co-authored-by: jcfiorenzano <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: jcfiorenzano <[email protected]>
Co-authored-by: Greg Villicana <[email protected]>

Author: 3 people

src/Microsoft.ComponentDetection.Detectors/npm/NpmLockfileDetectorBase.cs

@@ -170,7 +170,7 @@ private void ProcessIndividualPackageJTokens(ISingleFileComponentRecorder single
         var dependencies = this.ResolveDependencyObject(packageLockJToken);
         var topLevelDependencies = new Queue<(JProperty, TypedComponent)>();
 
-        var dependencyLookup = dependencies.Children<JProperty>().ToDictionary(dependency => dependency.Name);
+        var dependencyLookup = dependencies?.Children<JProperty>().ToDictionary(dependency => dependency.Name) ?? [];
 
         foreach (var stream in packageJsonComponentStream)
         {

test/Microsoft.ComponentDetection.Detectors.Tests/NpmDetectorWithRootsTests.cs

@@ -609,4 +609,88 @@ public async Task TestNpmDetector_DependencyGraphIsCreatedAsync()
         dependencyGraph.GetDependenciesForComponent(componentBId).Should().Contain(componentCId);
         dependencyGraph.GetDependenciesForComponent(componentCId).Should().BeEmpty();
     }
+
+    [TestMethod]
+    public async Task TestNpmDetector_PackageLockWithoutDependenciesObject_ShouldHandleGracefully()
+    {
+        // This test reproduces the NullReferenceException issue when package-lock.json doesn't contain a "dependencies" object
+        var packageLockJson = @"{
+                ""name"": ""test"",
+                ""version"": ""1.0.0"",
+                ""lockfileVersion"": 2
+            }";
+
+        var packageJsonContents = @"{
+                ""name"": ""test"",
+                ""version"": ""1.0.0""
+            }";
+
+        var (scanResult, componentRecorder) = await this.DetectorTestUtility
+            .WithFile(this.packageLockJsonFileName, packageLockJson, this.packageLockJsonSearchPatterns)
+            .WithFile(this.packageJsonFileName, packageJsonContents, this.packageJsonSearchPattern)
+            .ExecuteDetectorAsync();
+
+        // The detector should handle the missing "dependencies" object gracefully without throwing
+        scanResult.ResultCode.Should().Be(ProcessingResultCode.Success);
+        var detectedComponents = componentRecorder.GetDetectedComponents();
+        detectedComponents.Should().BeEmpty(); // No dependencies should be detected
+    }
+
+    [TestMethod]
+    public async Task TestNpmDetector_PackageLockMissingDependenciesButPackageJsonHasDependencies_ShouldHandleGracefully()
+    {
+        // This test reproduces a more specific scenario where package.json has dependencies but package-lock.json is missing dependencies
+        var packageLockJson = @"{
+                ""name"": ""test"",
+                ""version"": ""1.0.0"",
+                ""lockfileVersion"": 2
+            }";
+
+        var packageJsonContents = @"{
+                ""name"": ""test"",
+                ""version"": ""1.0.0"",
+                ""dependencies"": {
+                    ""lodash"": ""^4.17.21""
+                }
+            }";
+
+        var (scanResult, componentRecorder) = await this.DetectorTestUtility
+            .WithFile(this.packageLockJsonFileName, packageLockJson, this.packageLockJsonSearchPatterns)
+            .WithFile(this.packageJsonFileName, packageJsonContents, this.packageJsonSearchPattern)
+            .ExecuteDetectorAsync();
+
+        // The detector should handle the missing "dependencies" object gracefully without throwing
+        // This may result in processing failure but should not throw NullReferenceException
+        var detectedComponents = componentRecorder.GetDetectedComponents();
+        detectedComponents.Should().BeEmpty(); // No dependencies should be detected since dependencies is missing
+    }
+
+    [TestMethod]
+    public async Task TestNpmDetector_PackageLockMissingDependenciesProperty_ShouldNotThrowNullReferenceException()
+    {
+        // This test reproduces the exact NullReferenceException scenario from the issue:
+        // package-lock.json doesn't contain a "dependencies" property at all
+        var packageLockJson = @"{
+                ""name"": ""test"",
+                ""version"": ""1.0.0"",
+                ""lockfileVersion"": 2
+            }";
+
+        var packageJsonContents = @"{
+                ""name"": ""test"",
+                ""version"": ""1.0.0""
+            }";
+
+        // Before the fix, this would throw a NullReferenceException because
+        // packageLockJToken["dependencies"] returns null, and calling .Children<JProperty>() on null throws
+        var (scanResult, componentRecorder) = await this.DetectorTestUtility
+            .WithFile(this.packageLockJsonFileName, packageLockJson, this.packageLockJsonSearchPatterns)
+            .WithFile(this.packageJsonFileName, packageJsonContents, this.packageJsonSearchPattern)
+            .ExecuteDetectorAsync();
+
+        // The detector should handle the missing "dependencies" property gracefully without throwing
+        scanResult.ResultCode.Should().Be(ProcessingResultCode.Success);
+        var detectedComponents = componentRecorder.GetDetectedComponents();
+        detectedComponents.Should().BeEmpty(); // No dependencies should be detected since dependencies is missing
+    }
 }

test/Microsoft.ComponentDetection.Detectors.Tests/NpmLockfile3DetectorTests.cs

@@ -284,4 +284,88 @@ public async Task TestNpmDetector_NestedNodeModulesV3Async()
         dependencyGraph.GetDependenciesForComponent(componentAId).Should().Contain(componentBId);
         dependencyGraph.GetDependenciesForComponent(componentBId).Should().BeEmpty();
     }
+
+    [TestMethod]
+    public async Task TestNpmDetector_PackageLockWithoutPackagesObject_ShouldHandleGracefully()
+    {
+        // This test reproduces the NullReferenceException issue when package-lock.json doesn't contain a "packages" object
+        var packageLockJson = @"{
+                ""name"": ""test"",
+                ""version"": ""1.0.0"",
+                ""lockfileVersion"": 3
+            }";
+
+        var packageJsonContents = @"{
+                ""name"": ""test"",
+                ""version"": ""1.0.0""
+            }";
+
+        var (scanResult, componentRecorder) = await this.DetectorTestUtility
+            .WithFile(this.packageLockJsonFileName, packageLockJson, this.packageLockJsonSearchPatterns)
+            .WithFile(this.packageJsonFileName, packageJsonContents, this.packageJsonSearchPattern)
+            .ExecuteDetectorAsync();
+
+        // The detector should handle the missing "packages" object gracefully without throwing
+        scanResult.ResultCode.Should().Be(ProcessingResultCode.Success);
+        var detectedComponents = componentRecorder.GetDetectedComponents();
+        detectedComponents.Should().BeEmpty(); // No dependencies should be detected
+    }
+
+    [TestMethod]
+    public async Task TestNpmDetector_PackageLockMissingPackagesButPackageJsonHasDependencies_ShouldHandleGracefully()
+    {
+        // This test reproduces a more specific scenario where package.json has dependencies but package-lock.json is missing packages
+        var packageLockJson = @"{
+                ""name"": ""test"",
+                ""version"": ""1.0.0"",
+                ""lockfileVersion"": 3
+            }";
+
+        var packageJsonContents = @"{
+                ""name"": ""test"",
+                ""version"": ""1.0.0"",
+                ""dependencies"": {
+                    ""lodash"": ""^4.17.21""
+                }
+            }";
+
+        var (scanResult, componentRecorder) = await this.DetectorTestUtility
+            .WithFile(this.packageLockJsonFileName, packageLockJson, this.packageLockJsonSearchPatterns)
+            .WithFile(this.packageJsonFileName, packageJsonContents, this.packageJsonSearchPattern)
+            .ExecuteDetectorAsync();
+
+        // The detector should handle the missing "packages" object gracefully without throwing
+        // This may result in processing failure but should not throw NullReferenceException
+        var detectedComponents = componentRecorder.GetDetectedComponents();
+        detectedComponents.Should().BeEmpty(); // No dependencies should be detected since packages is missing
+    }
+
+    [TestMethod]
+    public async Task TestNpmDetector_PackageLockMissingPackagesProperty_ShouldNotThrowNullReferenceException()
+    {
+        // This test reproduces the exact NullReferenceException scenario from the issue:
+        // package-lock.json doesn't contain a "packages" property at all
+        var packageLockJson = @"{
+                ""name"": ""test"",
+                ""version"": ""1.0.0"",
+                ""lockfileVersion"": 3
+            }";
+
+        var packageJsonContents = @"{
+                ""name"": ""test"",
+                ""version"": ""1.0.0""
+            }";
+
+        // Before the fix, this would throw a NullReferenceException because
+        // packageLockJToken["packages"] returns null, and calling .Children<JProperty>() on null throws
+        var (scanResult, componentRecorder) = await this.DetectorTestUtility
+            .WithFile(this.packageLockJsonFileName, packageLockJson, this.packageLockJsonSearchPatterns)
+            .WithFile(this.packageJsonFileName, packageJsonContents, this.packageJsonSearchPattern)
+            .ExecuteDetectorAsync();
+
+        // The detector should handle the missing "packages" property gracefully without throwing
+        scanResult.ResultCode.Should().Be(ProcessingResultCode.Success);
+        var detectedComponents = componentRecorder.GetDetectedComponents();
+        detectedComponents.Should().BeEmpty(); // No dependencies should be detected since packages is missing
+    }
 }