Dependencycheck: Failed to read results from the NPM Audit API
Today from time to time I got following error:
15:26:59 [INFO] Finished Node.js Package Analyzer (0 seconds)
15:27:00 [INFO] Finished Dependency Merging Analyzer (0 seconds)
15:27:00 [INFO] Finished Version Filter Analyzer (0 seconds)
15:27:00 [INFO] Finished Hint Analyzer (0 seconds)
15:27:02 [INFO] Created CPE Index (1 seconds)
15:27:02 [INFO] Skipping CPE Analysis for npm
15:27:02 [INFO] Finished CPE Analyzer (2 seconds)
15:27:02 [INFO] Finished False Positive Analyzer (0 seconds)
15:27:02 [INFO] Finished NVD CVE Analyzer (0 seconds)
15:28:33 [WARN] An error occurred while analyzing '/src/package-lock.json' (Node Audit Analyzer).
15:28:34 [WARN] An error occurred while analyzing '/src/package-lock.json' (Node Audit Analyzer).
15:28:34 [INFO] Finished Node Audit Analyzer (92 seconds)
15:28:34 [INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
15:28:43 [INFO] Finished Dependency Bundling Analyzer (8 seconds)
15:28:43 [INFO] Analysis Complete (103 seconds)
15:28:44 [ERROR] Failed to read results from the NPM Audit API (NodeAuditAnalyzer); the analyzer is being disabled and may result in false negatives.
15:28:44 [ERROR] Failed to read results from the NPM Audit API (NodeAuditAnalyzer); the analyzer is being disabled and may result in false negatives.
Can't find any informations about this error.
Does this mean there is an online service unavailable ?
If yes, what is the URL of this service ? (To check, before starting the scan)
Thanks
Additional information:
We are not using the OWASP Dependency-Check Plugin, we are working with the owasp/dependency-check docker image from https://hub.docker.com/r/owasp/dependency-check/
githubhs17
All 11 comments
@githubhs17 I had a similar problem to this. See #1679
You can get more information from the Jenkins System Logs.
The URL by default is http://registry.npmjs.org/-/npm/v1/security/audits
markdenihan
on 15 Jan 2019
I am getting the same errors since a few days.
But it does not occur every time. Are there any known issues with availability of the API in general?
Jarl-dev
on 16 Jan 2019
I'm actually seeing this issue again, also intermittently, without a network configuration issue. Does not appear to be an issue with the Node Audit API. Jenkins System Logs just state;
An error occurred while analyzing '/var/lib/jenkins/workspace/dependencyCheckTest/package-lock.json' (Node Audit Analyzer).
Same Problem here, but only sometimes. Today the issue persisted for several hours though:
[INFO] Finished NVD CVE Analyzer (0 seconds)
[DEBUG] Initializing Node Audit Analyzer
[DEBUG] Initializing Node Audit Analyzer
[DEBUG] Node Audit Search URL: https://registry.npmjs.org/-/npm/v1/security/audits
[DEBUG] Not using proxy
[DEBUG] Starting Node Audit Analyzer
[DEBUG] Parallel processing with up to 2 threads: Node Audit Analyzer.
[DEBUG] Begin Analysis of '/var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/package-lock.json' (Node Audit Analyzer)
[DEBUG] Skipping analysis of node module: /var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/node_modules/handlebars/package-lock.json
[DEBUG] Begin Analysis of '/var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/node_modules/handlebars/package-lock.json' (Node Audit Analyzer)
[DEBUG] Skipping analysis of node module: /var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/node_modules/handlebars/package-lock.json
[DEBUG] Skipping analysis of node module: /var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/node_modules/babel-runtime/package-lock.json
[DEBUG] Begin Analysis of '/var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/node_modules/babel-runtime/package-lock.json' (Node Audit Analyzer)
[DEBUG] Skipping analysis of node module: /var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/node_modules/babel-runtime/package-lock.json
[DEBUG] Skipping analysis of node module: /var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/node_modules/babel-code-frame/package-lock.json
[DEBUG] Begin Analysis of '/var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/node_modules/babel-code-frame/package-lock.json' (Node Audit Analyzer)
[DEBUG] Skipping analysis of node module: /var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/node_modules/babel-code-frame/package-lock.json
[DEBUG] Skipping analysis of node module: /var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/node_modules/stats-webpack-plugin/package-lock.json
[DEBUG] Begin Analysis of '/var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/node_modules/stats-webpack-plugin/package-lock.json' (Node Audit Analyzer)
[DEBUG] Skipping analysis of node module: /var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/node_modules/stats-webpack-plugin/package-lock.json
[DEBUG] Skipping analysis of node module: /var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/node_modules/babel-types/package-lock.json
[DEBUG] Begin Analysis of '/var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/node_modules/babel-types/package-lock.json' (Node Audit Analyzer)
[DEBUG] Skipping analysis of node module: /var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/node_modules/babel-types/package-lock.json
[DEBUG] Skipping analysis of node module: /var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/node_modules/babel-traverse/package-lock.json
[DEBUG] Begin Analysis of '/var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/node_modules/babel-traverse/package-lock.json' (Node Audit Analyzer)
[DEBUG] Skipping analysis of node module: /var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/node_modules/babel-traverse/package-lock.json
[DEBUG] Skipping analysis of node module: /var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/node_modules/babel-template/package-lock.json
[DEBUG] Begin Analysis of '/var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/node_modules/babel-template/package-lock.json' (Node Audit Analyzer)
[DEBUG] Skipping analysis of node module: /var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/node_modules/babel-template/package-lock.json
[DEBUG] Begin Analysis of '/var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/package-lock.json' (Node Audit Analyzer)
[DEBUG] Available Protocols:
[DEBUG] SSLv2Hello
[DEBUG] SSLv3
[DEBUG] TLSv1
[DEBUG] TLSv1.1
[DEBUG] TLSv1.2
[DEBUG] TLSv1.3
[DEBUG] Parsing JSON node
[DEBUG] Begin Analysis of '/var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/package-lock.json' (Node Audit Analyzer)
[DEBUG] Parsing JSON node
[DEBUG] Begin Analysis of '/var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/package-lock.json' (Node Audit Analyzer)
[DEBUG] Parsing JSON node
[DEBUG] Begin Analysis of '/var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/package-lock.json' (Node Audit Analyzer)
[DEBUG] Parsing JSON node
[DEBUG] Begin Analysis of '/var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/package-lock.json' (Node Audit Analyzer)
[DEBUG] Could not connect to Node Audit API. Received response code: 503 No backends available
[DEBUG] Error reading dependency or connecting to NPM Audit API
java.io.IOException: Could not connect to Node Audit API
at org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage(NodeAuditSearch.java:137)
at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzeDependency(NodeAuditAnalyzer.java:179)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:136)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
[WARNING] An error occurred while analyzing '/var/lib/jenkins-slave/workspace/example.ui-master-commit/src/main/webapp/package-lock.json' (Node Audit Analyzer).
[DEBUG]
org.owasp.dependencycheck.analyzer.exception.AnalysisException: Failed to read results from the NPM Audit API (NodeAuditAnalyzer); the analyzer is being disabled and may result in false negatives.
at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzeDependency(NodeAuditAnalyzer.java:223)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:136)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.io.IOException: Could not connect to Node Audit API
at org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage(NodeAuditSearch.java:137)
at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzeDependency(NodeAuditAnalyzer.java:179)
... 7 more
[DEBUG] Parsing JSON node
[INFO] Finished Node Audit Analyzer (19 seconds)
Some further notes about my company network:
We only permit HTTP access in and out of our internal network. May this cause sporadic issues with the analyzer?
MrWong99
on 16 Jan 2019
Today again, 2 of around 25 scans failed today with [ERROR] Failed to read results from the NPM Audit API (NodeAuditAnalyzer); the analyzer is being disabled and may result in false negatives.
githubhs17
on 30 Jan 2019
We have the same problem, since a few days with more frequency.
Is there any solution for this?
ruimda
on 20 Feb 2019
This question should be addressed to npm as it has occurred in the past.
https://twitter.com/npmjs/status/1042555961871749120?lang=en
stevespringett
on 20 Feb 2019
Any news? Sometimes it takes 4-5 tries...
barrynorman
on 9 Apr 2019
Hi, I guess its related (same :D ) to
https://github.com/jeremylong/DependencyCheck/issues/1679
Btw facing these issues still as well, but only time from time, mostly randomly
[DependencyCheck] Analyzing Dependencies
[DependencyCheck] One or more exceptions were thrown while executing Dependency-Check
[DependencyCheck] Exception Caught: org.owasp.dependencycheck.analyzer.exception.AnalysisException
[DependencyCheck] Cause: Could not connect to Node Audit API
[DependencyCheck] Message: Failed to read results from the NPM Audit API (NodeAuditAnalyzer); the analyzer is being disabled and may result in false negatives.
[DependencyCheck] org.owasp.dependencycheck.analyzer.exception.AnalysisException: Failed to read results from the NPM Audit API (NodeAuditAnalyzer); the analyzer is being disabled and may result in false negatives.
[DependencyCheck] at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzeDependency(NodeAuditAnalyzer.java:223)
[DependencyCheck] at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:136)
[DependencyCheck] at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
[DependencyCheck] at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
[DependencyCheck] at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[DependencyCheck] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[DependencyCheck] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[DependencyCheck] at java.lang.Thread.run(Thread.java:748)
[DependencyCheck] Caused by: java.io.IOException: Could not connect to Node Audit API
[DependencyCheck] at org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage(NodeAuditSearch.java:137)
[DependencyCheck] at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzeDependency(NodeAuditAnalyzer.java:179)
[DependencyCheck] ... 7 more
[DependencyCheck]
pavenova
on 24 Apr 2019
Same problem - also intermittent.
kappaj2
on 1 May 2019
RobertPaasche
on 4 May 2019
Related issues
maartengo
路
23Comments
DanielRuf
路
16Comments
baderbuddy
路
58Comments
caperutxa
路
29Comments
mark-senne
路
37Comments
Most helpful comment
Same problem - also intermittent.