Dependencycheck: Errors from node checker

Created on 7 May 2019  路  7Comments  路  Source: jeremylong/DependencyCheck

Describe the bug
When analyzing my project, I got lot of errors ( on M3, but not on M2, or less verbose )

First, I always get lot of warnings, like #1851 ,
Second

I got this : 

[INFO] Finished NVD CVE Analyzer (0 seconds)
[ERROR] NodeAuditAnalyzer failed on /project/package-lock.json
[WARN] An error occurred while analyzing '/project//package-lock.json' (Node Audit Analyzer).
[ERROR] NodeAuditAnalyzer failed on /project/package-lock.json
[WARN] An error occurred while analyzing '/project//package-lock.json' (Node Audit Analyzer).

Error and warn are repeated 23 times .

After, I get this error : 

[WARN] Failed to fetch component-report for: pkg:npm/%40babel/[email protected]
java.lang.IllegalStateException: Missing component-report for: pkg:npm/%40babel/[email protected]
    at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:231)
    at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:161)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:138)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:834)

Same error, for 84 differents packages

At the end I got : 

[INFO] Analysis Complete (131 seconds)
[ERROR] Could not perform Node Audit analysis - service returned a 503.
[ERROR] Could not perform Node Audit analysis - service returned a 503.
[ERROR] Could not perform Node Audit analysis - service returned a 503.

The error is repeated 23 times .

* Version of dependency-check used *
The problem occurs using version 5.0.0-M3 of the the cli

* Log file *
Hum, I've start the cli with the -l <file> option ... but doesn't end, and produce a file with more than 500mb ... So I'll retry with less dependencies

To Reproduce
--> I'm investigating
----> In fact, it seems the Node Audit analysis spam npm, so with a real project, we can't finished the analysis ... Because only the first libraries are scanned ...

Expected behavior
No errors ( or trying )

bug
Source
picture thib3113

Most helpful comment

Another possible solution is to include a new parameter in the CLI that allows you to specify the npm audit registry. Then we could point to a proxy such as:

--registry https://peterton.nl

It appear that the solution at http://www.peterton.nl may be helpful in this case.

As of now, the NodeAuditAnalyzer is not usable so that really lowers the value for Javascript projects.

picture mecorusfc on 17 Jul 2019
👍4

All 7 comments

I am able to reproduce this on OSX v10.14.4 with

  • NPM v6.9.0
  • Java v1.8.0_201

using 5.0.0-M3 of the CLI.

dominicfollett picture dominicfollett on 14 May 2019

I believe #1906 may help resolve some of this.

jeremylong picture jeremylong on 18 May 2019

@jeremylong not totally, this will just remove useless warnings, but the real issue was npm return lot of 503 errors, because I think, dependency check send too many request to npm audit ...

In fact, to resolve this ( totally ), the solution will be to "Use local node analysis insteed of npm audit" #1924 ( so, no request to npm audit, for the same result ... and finally, use it like the NVD, with downloading the vulnerabilities before )

thib3113 picture thib3113 on 18 May 2019

Another possible solution is to include a new parameter in the CLI that allows you to specify the npm audit registry. Then we could point to a proxy such as:

--registry https://peterton.nl

It appear that the solution at http://www.peterton.nl may be helpful in this case.

As of now, the NodeAuditAnalyzer is not usable so that really lowers the value for Javascript projects.

mecorusfc picture mecorusfc on 17 Jul 2019
👍4

A lot of changes were made with the 5.3.0 release and I believe this issue should now be closed. Are people still seeing this specific issue?

Also, while not exposed as a configuration parameter (yet) you can set the registry using JAVA_OPTS (see #2423):

You can set this today using JAVA_OPTS:

export JAVA_OPTS="$JAVA_OPTS -Danalyzer.node.audit.url=https://registry.npmjs.org/-/npm/v1/security/audits"
jeremylong picture jeremylong on 22 Jan 2020

This issue seems very old for me ...

As I see in my git, I'm using analyzer.node.audit.url from the 15 may 2019, so maybe I didn't found the configuration when I open the issue

thib3113 picture thib3113 on 22 Jan 2020

Thanks

jeremylong picture jeremylong on 23 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

binkley picture binkley  路  21Comments
albuch picture albuch  路  16Comments
OrangeDog picture OrangeDog  路  14Comments
caperutxa picture caperutxa  路  29Comments
Vampire picture Vampire  路  15Comments