JS: Ensure Dependency.info() exists even if version range could not be parsed

asgerf · asgerf · commit 068a9d88e7e6 · 2021-03-31T16:08:08.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/dependencies/Dependencies.qll b/javascript/ql/src/semmle/javascript/dependencies/Dependencies.qll
@@ -127,18 +127,22 @@ class ExternalNPMDependency extends NPMDependency {
     exists(PackageDependencies pkgdeps | this = pkgdeps.getPropValue(result))
   }
 
-  override string getVersion() {
+  private string getVersionNumber() {
     exists(string versionRange | versionRange = this.(JSONString).getValue() |
       // extract a concrete version from the version range; currently,
       // we handle exact versions as well as `<=`, `>=`, `~` and `^` ranges
       result = versionRange.regexpCapture("(?:[><]=|[=~^])?v?(\\d+(\\.\\d+){1,2})", 1)
-      or
-      // if no version is specified, report version `unknown`
-      result = "unknown" and
-      (versionRange = "" or versionRange = "*")
     )
   }
 
+  override string getVersion() {
+    result = getVersionNumber()
+    or
+    // if no version is specified or could not be parsed, report version `unknown`
+    not exists(getVersionNumber()) and
+    result = "unknown"
+  }
+
   override Import getAnImport() {
     exists(int depth | depth = importsDependency(result, getDeclaringPackage(), this) |
       // restrict to those results for which this is the closest matching dependency
