NullPointerException in Semver for hyphenated NPM version matches

[dnorton]

Describe the bug
As of the 7.4.0 release of DependencyCheck, we are encountering a NullPointerException in the NodePackageAnalyzer when the match range has a hyphen.

This is the exception I get in dependency-check when I run it against my node repository:

[WARN] An unexpected error occurred during analysis of '<redacted_path>/package-lock.json' (Node.js Package Analy
[ERROR]
java.lang.NullPointerException: Cannot invoke "String.trim()" because "value" is null
	at com.vdurmont.semver4j.Semver.<init>(Semver.java:26)
	at com.vdurmont.semver4j.Requirement.hyphenRequirement(Requirement.java:487)
	at com.vdurmont.semver4j.Requirement.evaluateReversePolishNotation(Requirement.java:338)
	at com.vdurmont.semver4j.Requirement.evaluateReversePolishNotation(Requirement.java:371)
	at com.vdurmont.semver4j.Requirement.buildWithTokenizer(Requirement.java:138)
	at com.vdurmont.semver4j.Requirement.buildNPM(Requirement.java:112)
	at com.vdurmont.semver4j.Semver.satisfies(Semver.java:167)
	at org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer.npmVersionsMatch(DependencyBundlingAnalyzer.java:629)
	at org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer.findDependency(AbstractNpmAnalyzer.java:297)
	at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.processDependencies(NodePackageAnalyzer.java:448)
	at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.processDependencies(NodePackageAnalyzer.java:396)
	at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.analyzeDependency(NodePackageAnalyzer.java:270)

I know this isn't specifically a bug in DependencyCheck, but it is causing failures in our CI process.
see: vdurmont/semver4j#63

Version of dependency-check used
version 7.4.0

To Reproduce

This class throws a NPE

import com.vdurmont.semver4j.Semver;
public class Main {
    public static void main(String[] args) {
        Semver semver = new Semver("3.1.4", Semver.SemverType.NPM);
        System.out.println(semver.satisfies("^2.9.12 || ^3.0.0-0"));
    }
}

This returns true

$ node                           
Welcome to Node.js v18.8.0.
Type ".help" for more information.
> const semver = require('semver');
undefined
> semver.satisfies('3.1.4', '^2.9.12 || ^3.0.0-0');
true

[dnorton]

Even simpler, this fails

import com.vdurmont.semver4j.Semver;
public class Main {
    public static void main(String[] args) {
        Semver semver = new Semver("3.1.4", Semver.SemverType.NPM);
        System.out.println(semver.satisfies("^3.0.0-0"));
    }
}

This returns true

import com.vdurmont.semver4j.Semver;
public class Main {
    public static void main(String[] args) {
        Semver semver = new Semver("3.1.4", Semver.SemverType.NPM);
        System.out.println(semver.satisfies("^2.9.12 || ^3.0.0"));
    }
}

[dnorton]

A simple fix for this might be to strip off the "-#" in DependencyBundlingAnalyzer.java

           try {
                final Semver v = new Semver(right, SemverType.NPM);
                // strip hyphen in "left" here
                return v.satisfies(left);
            } catch (SemverException ex) {
                LOGGER.trace("ignore", ex);
            }

[mprins]

Perhaps upgrading to https://github.com/semver4j/semver4j would be a good idea as the original lib development stalled