Dependencycheck: Please consider using NVD for npm packages
If I understand correctly, Dependency Check uses only NSP for checking npm packages. The following command produces a report which refers only to advisories provided by Node Security Project:
${OWASP_DEPENDENCY_CHECK_HOME}/bin/dependency-check.sh --project myproject --out dependency-check --scan package.json
But if NSP analyzer is disabled, then you'll get an empty report:
${OWASP_DEPENDENCY_CHECK_HOME}/bin/dependency-check.sh --project myproject --out dependency-check --scan package.json --disableNSP
NVD contains CVEs reported against npm packages, for example:
This case is covered by the advisory from Node Security Project. But there may be issues which is not covered by Node Security Project. Furthermore, Node Security Project recently joined nmp, Inc. The advisories are still there, but I am not sure how Node Security Project is going to work in future.
It might make sense to update Dependency Check to be able to use NVD for checking npm packages.
artem-smotrakov
All 6 comments
The reason we do not use the NVD for Node.js analysis is the shear number of false positives it produces. In fact, in the NPM ecosystem it appears so very few vulnerabilities are actually reported as CVEs - I haven't seen one yet where there was a CVE without a corresponding NSP entry.
jeremylong
on 30 Apr 2018
it appears NSP was acquired by NPM, so we're getting a [ERROR] api.nodesecurity.io now in the logs. Any ideas moving forward on what to use?
westlakem
on 1 May 2018
The NSP service appears to be working just fine. In fact, NPM (the company) has made no announcement they are changing it, rather incorporating the NSP service into the npm build tool itself. So instead of having to use npm to build and nsp to check, a single tool will do both + will have additional features (like audit) that currently doesn't exist.
Perhaps there's another issue folks are experiencing using NSP. I just tried scanning OWASP NodeGoat with Dependency-Check and ran nsp check and both work fine.
stevespringett
on 1 May 2018
NPM Inc. announced to close NSP in September 2018. How will the dependency-checker behave from September on regarding node modules?
0x7fh
on 4 Jul 2018
It seems to have been finally shut down now. We're seeing the following if we don't explicitly disable the node and nodeAudit analysers:
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:4.0.2:check (run-when-install) on project xyz: One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during dependency-check analysis
[ERROR] api.nodesecurity.io
[ERROR] api.nodesecurity.io
[ERROR] api.nodesecurity.io
[ERROR] api.nodesecurity.io
[ERROR] api.nodesecurity.io
[ERROR] api.nodesecurity.io
[ERROR] -> [Help 1]
The host api.nodesecurity.io is no longer DNS-resolvable.
GJKrupa
on 16 Jan 2019
ATM we have no plans to use the NVD to analyze Node projects. NPM is on top of things. We have migrated to using the npm audit APIs.
jeremylong
on 27 Apr 2019
Related issues
THausherr
路
3Comments
KevinMcT
路
3Comments
RaghunathE
路
3Comments
amandel
路
3Comments
dwvisser
路
4Comments