Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to perform npm audit using the maven plugin when package-lock.json generated with Node 16.x or higher #5369

Closed
aruizca opened this issue Jan 23, 2023 · 8 comments
Closed

Unable to perform npm audit using the maven plugin when package-lock.json generated with Node 16.x or higher #5369

aruizca opened this issue Jan 23, 2023 · 8 comments
Labels
bug

Comments

@aruizca
Copy link

aruizca commented Jan 23, 2023
edited
Loading

Describe the bug
A clear and concise description of what the bug is.

Version of dependency-check used
The problem occurs using version 7.4.4 of the maven plugin

Log file
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.4.4:aggregate (default) on project snapshots: One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during analysis:
[ERROR] SearchException: Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.
[ERROR] -> [Help 1]

To Reproduce
Steps to reproduce the behavior:

  1. Try running dependency check aggregate on a node module that used npm version that comes by default with Node 16.14.2.

Expected behavior
The dependency check should be able to digest package-lock.json format that are generated with the npm versions used in node 16.x+ (lockfileVersion=2)
@aruizca aruizca added the bug label Jan 23, 2023
@aruizca
Copy link
Author

aruizca commented Jan 23, 2023

Please find attached an anonymized sample of package-lock.json files that fails (rename file to .json)
package-lock.txt

@mprins
Copy link
Contributor

mprins commented Jan 23, 2023

does it fail with a support version of ODC? https://github.com/jeremylong/DependencyCheck/security/policy#security-policy

@aruizca
Copy link
Author

aruizca commented Jan 23, 2023

Hi, I have just tried with 8.0.1 version of the plugin and still getting the same error. On debug mode I get this output:

[DEBUG] Invalid payload submitted to Node Audit API. Received response code: 400 Bad Request
[ERROR] NodeAuditAnalyzer failed on /Users/aruizca/workspace/appfire/snapshots-publishing/snapshots-client/package-lock.json
[WARNING] An error occurred while analyzing '/Users/aruizca/workspace/appfire/snapshots-publishing/snapshots-client/package-lock.json' (Node Audit Analyzer).
[DEBUG] 
org.owasp.dependencycheck.analyzer.exception.SearchException: Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.
    at org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage (NodeAuditSearch.java:209)
    at org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage (NodeAuditSearch.java:133)
    at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzePackage (NodeAuditAnalyzer.java:189)
    at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzeDependency (NodeAuditAnalyzer.java:146)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run (FutureTask.java:264)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
    at java.lang.Thread.run (Thread.java:829)
[INFO] Finished Node Audit Analyzer (1 seconds)

I also see this error at the end:

Caused by: org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions occurred during analysis:
        SearchException: Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.
    at org.owasp.dependencycheck.Engine.analyzeDependencies (Engine.java:687)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1914)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:1096)

Thanks!

@aikebah
Copy link
Collaborator

aikebah commented Jan 23, 2023

@aruizca Do you skip devDependencies? And if so, can you run a try without skipping them to see if this is the same as #5359?

@aruizca
Copy link
Author

aruizca commented Jan 24, 2023
edited
Loading

Hi @aikebah !

Yes, we are skipping dev dependencies. If I set "nodeAuditSkipDevDependencies" to false, then it runs successfully. It seems it is the same problem as #5359. In previous versions I don't have that problem.

Cheers!

@oliverlockwood
Copy link
Contributor

I wonder whether #6690 (done in the context of #6437) might have fixed this? I haven't tested yet but intend to do so at some point.

@oliverlockwood
Copy link
Contributor

Update: I have tested this with a local build of the main branch of Dependency-Check.

I believe that PR #6690 (done in the context of #6437) has fixed this.

@jeremylong
Copy link
Owner

Thank you for testing and confirming this is closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@aruizca @jeremylong @mprins @aikebah @oliverlockwood