fix(yarn): avoid error on yarn berry audit when no vulnerability found (#7501)

Author: chadoc

core/src/main/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzer.java

@@ -54,6 +54,7 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
+import java.util.stream.Stream;
 
 @ThreadSafe
 public class YarnAuditAnalyzer extends AbstractNpmAnalyzer {
@@ -388,7 +389,9 @@ private List<JSONObject> fetchYarnAdvisories(Dependency dependency, boolean skip
         final String advisoriesJsons = startAndReadStdoutToString(builder);
 
         LOGGER.debug("Advisories JSON: {}", advisoriesJsons);
-        String[] advisoriesJsonArray = advisoriesJsons.split("\n");
+        String[] advisoriesJsonArray = Stream.of(advisoriesJsons.split("\n"))
+                .filter(s -> !s.isBlank())
+                .toArray(String[]::new);
         try {
             List<JSONObject> advisories = new ArrayList<>();
             for (String advisoriesJson : advisoriesJsonArray) {

core/src/test/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzerIT.java

@@ -33,12 +33,29 @@ public class YarnAuditAnalyzerIT extends BaseTest {
 
     @Test
     public void testAnalyzePackageYarnClassic() throws AnalysisException, InitializationException, InvalidSettingException {
-        testAnalyzePackageYarn("yarn-classic-audit/yarn.lock");
+        testAnalyzePackageYarn("yarn/yarn-classic-audit/yarn.lock");
     }
 
     @Test
     public void testAnalyzePackageYarnBerry() throws AnalysisException, InitializationException, InvalidSettingException {
-        testAnalyzePackageYarn("yarn-berry-audit/yarn.lock");
+        testAnalyzePackageYarn("yarn/yarn-berry-audit/yarn.lock");
+    }
+
+    @Test
+    public void testAnalyzePackageYarnBerryNoVulnerability() throws AnalysisException, InitializationException, InvalidSettingException {
+        //Assume.assumeThat(getSettings().getBoolean(Settings.KEYS.ANALYZER_YARN_AUDIT_ENABLED), is(true));
+        try (Engine engine = new Engine(getSettings())) {
+            var analyzer = new YarnAuditAnalyzer();
+            analyzer.setFilesMatched(true);
+            analyzer.initialize(getSettings());
+            analyzer.prepare(engine);
+            final Dependency toScan = new Dependency(BaseTest.getResourceAsFile(this, "yarn/yarn-berry-audit-no-vulnerability/yarn.lock"));
+            analyzer.analyze(toScan, engine);
+            assertTrue("No dependency should be identified", engine.getDependencies().length == 0);
+        } catch (InitializationException ex) {
+            //yarn is not installed - skip the test case.
+            Assume.assumeNoException(ex);
+        }
     }
 
     private void testAnalyzePackageYarn(String yarnLockFile) throws AnalysisException {

core/src/test/resources/yarn/yarn-berry-audit-no-vulnerability/.yarn/install-state.gz

@@ -0,0 +1,19 @@
+{
+  "name": "owasp-nodejs-goat",
+  "private": true,
+  "version": "1.3.0",
+  "description": "A tool to learn OWASP Top 10 for node.js developers",
+  "main": "server.js",
+  "comments": {
+    "//": "a9 insecure components"
+  },
+  "scripts": {
+    "start": "node server.js",
+    "test": "node node_modules/grunt-cli/bin/grunt test",
+    "db:seed": "grunt db-reset",
+    "precommit": "grunt precommit"
+  },
+  "repository": "https://github.com/OWASP/NodejsGoat",
+  "license": "Apache 2.0",
+  "packageManager": "[email protected]"
+}

…erry-audit/.yarn/releases/yarn-4.6.0.cjs …nerability/.yarn/releases/yarn-4.6.0.cjscore/src/test/resources/yarn-berry-audit/.yarn/releases/yarn-4.6.0.cjs renamed to core/src/test/resources/yarn/yarn-berry-audit-no-vulnerability/.yarn/releases/yarn-4.6.0.cjs core/src/test/resources/yarn-berry-audit/.yarn/releases/yarn-4.6.0.cjs renamed to core/src/test/resources/yarn/yarn-berry-audit-no-vulnerability/.yarn/releases/yarn-4.6.0.cjs

@@ -0,0 +1,12 @@
+# This file is generated by running "yarn install" inside your project.
+# Manual changes might be lost - proceed with caution!
+
+__metadata:
+  version: 8
+  cacheKey: 10c0
+
+"owasp-nodejs-goat@workspace:.":
+  version: 0.0.0-use.local
+  resolution: "owasp-nodejs-goat@workspace:."
+  languageName: unknown
+  linkType: soft

…t/resources/yarn-berry-audit/.yarnrc.yml …berry-audit-no-vulnerability/.yarnrc.ymlcore/src/test/resources/yarn-berry-audit/.yarnrc.yml renamed to core/src/test/resources/yarn/yarn-berry-audit-no-vulnerability/.yarnrc.yml core/src/test/resources/yarn-berry-audit/.yarnrc.yml renamed to core/src/test/resources/yarn/yarn-berry-audit-no-vulnerability/.yarnrc.yml

@@ -0,0 +1,3 @@
+nodeLinker: node-modules
+
+yarnPath: .yarn/releases/yarn-4.6.0.cjs