Dependencycheck: feature request: support pnpm and yarn projects

The issue is that in a lot of ways - the security analysis of npm is just a wrapper around nsp. If one was strictly using node, I would recommend just using nsp or npm audit. ODC is useful in the case of multi-language projects or for organizations that wanted to have a single format that could be imported more easily into dependency-track or a vulnerability management platform.

The issue is that in a lot of ways - the security analysis of npm is just a wrapper around nsp

Not anymore as nsp is deprecated and they use https://github.com/nodejs/security-wg and other resources now.

See https://www.npmjs.com/package/nsp

npmjs bought nsp.

We know - and yet today, the dependency-check analysis is using nsp which will be around through Sept, 2018.

https://github.com/yarnpkg/yarn/issues/5808#issuecomment-409468136
https://github.com/yarnpkg/yarn/issues/5808#issuecomment-410171673
https://github.com/npm/npm-audit-report/

We know - and yet today, the dependency-check analysis is using nsp which will be around through Sept, 2018.

Which is not so far away ;-)
Is there a PR for the migration to the audit API or other endpoints?

@stevespringett any progress on the changing the endpoints for the NspAnalyzer?

@jeremylong I'll be creating a branch for this soon as the commit is going to be decent size (20+ files modified already). I should have something posted later this week. After we replace NSP with NPM Audit however, we'll have to continue to make changes since NPM Audit, to this day, still has a requirement on NSP. So its a bit of a moving target that we'll have to stay on top of.

@DanielRuf Previously, NSP simply used package.json in a slightly modified payload to analyze the project for vulns. NSP would perform all the resolution, etc. There wasn't a requirement to specify every single dependency and since package.json was fairly universal, it wasn't specific to NPM. However, NPM Audit has dramatically changed that. The service is more closely tied to NPM and requires package-lock.json or npm shrinkwrap. A yarn project will need to convert yarn.lock to package-lock.json in order for it to be analyzed. Check out synp for a possible solution. File conversion is out-of-scope for the Dependency-Check project. Conversion to package-lock.json will need to be done on each of the non-NPM ecosystems...... That said, analyzing Node projects doesn't necessarily need to rely on NPM Audit in the future. Once #1276 and #1391 are complete (this requires back-end changes on Sonatypes part), it will be possible to create a Dependency-Check analyzer for Yarn lock files and use OSSIndex to perform the analysis instead of NPM Audit. This will likely require additional setup however - i.e. registering for OSSIndex and obtaining an API Token since registered users have a higher request limit than non-registered users. Having a registered account would be especially important for Node projects because of their micro-module approach.

It would be awesome with automatic conversion. I tried adding a synp step to convert in my build and then analyse, but still get "Skipping CPE Analysis for npm"

My cmd line:

synp --source-file yarn.lock && mkdir -p dependency-check && /Users/et2448/Downloads/dependency-check/bin/dependency-check.sh --enableExperimental --format ALL -o dependency-check --project TACJFR --scan package.json 

At least we have yarn audit now.

I'm guessing this request will never be implemented?

hey. It's been a few years, is this still in consideration?

I have not had time to support yarn. We accept PRs - that is actually where most of the support for other package managers originated.

I was hoping for pnpm support :)

Is there a doc for adding support? I don't really know java, but if there's a doc and decent model to follow, I can probably figure out enough to get a PR up for review.

Honestly, the current node analysis is doing exactly the same thing as npm audit (or in your case pnpm audit). We are looking at bringing in the Node.js information from Retire.js - but no work has been started. What would be needed is a way to convert the package files from pnpm into the information that would get submitted to the npm audit service. The start of this can be found here:

https://github.com/jeremylong/DependencyCheck/blob/c33513933bcddfb2efebd97384be9f39820bd62a/core/src/main/java/org/owasp/dependencycheck/analyzer/NodeAuditAnalyzer.java#L175-L189

Yarn audit is now wrapped by ODC.