Dependencycheck: NodeAuditSearch fails with skipped dependency
Describe the bug
Node Audit Analyzer detects a problem and declares this dependency to be skipped: "dependency skipped: package.json contain an alias for vue-loader-v16 => [email protected] npm audit doesn't support aliases"
However NodeAuditSearch still posts this dependency "vue-loader-v16":"npm:vue-loader@^16.1.0" to the Node Audit API and causes the scan to fail.
2021-01-22 12:16:03,806 org.owasp.dependencycheck.analyzer.NodePackageAnalyzer:286
WARN - dependency skipped: package.json contain an alias for vue-loader-v16 => [email protected] npm audit doesn't support aliases
Version of dependency-check used
Dependency Check Command Line
dependency-check --version
Dependency-Check Core version 6.0.5
Log file
WARN - dependency skipped: package.json contain an alias for vue-loader-v16 => [email protected] npm audit doesn't support aliases
2021-01-22 14:46:10,351 org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch:151
DEBUG - ----------------------------------------
2021-01-22 14:46:10,351 org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch:152
DEBUG - Node Audit Payload:
2021-01-22 14:46:10,366 org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch:153
DEBUG - // *** SEE PAYLOAD BELOW ***
2021-01-22 14:46:10,367 org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch:154
DEBUG - ----------------------------------------
2021-01-22 14:46:10,367 org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch:155
DEBUG - ----------------------------------------
2021-01-22 14:46:10,527 org.owasp.dependencycheck.utils.SSLSocketFactoryEx:283
DEBUG - Available Protocols:
2021-01-22 14:46:10,527 org.owasp.dependencycheck.utils.SSLSocketFactoryEx:285
DEBUG - SSLv2Hello
2021-01-22 14:46:10,527 org.owasp.dependencycheck.utils.SSLSocketFactoryEx:285
DEBUG - SSLv3
2021-01-22 14:46:10,527 org.owasp.dependencycheck.utils.SSLSocketFactoryEx:285
DEBUG - TLSv1
2021-01-22 14:46:10,527 org.owasp.dependencycheck.utils.SSLSocketFactoryEx:285
DEBUG - TLSv1.1
2021-01-22 14:46:10,527 org.owasp.dependencycheck.utils.SSLSocketFactoryEx:285
DEBUG - TLSv1.2
2021-01-22 14:46:10,527 org.owasp.dependencycheck.utils.SSLSocketFactoryEx:285
DEBUG - TLSv1.3
2021-01-22 14:46:11,473 org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch:207
DEBUG - Invalid payload submitted to Node Audit API. Received response code: 400 Bad Request
2021-01-22 14:46:11,474 org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer:326
ERROR - NodeAuditAnalyzer failed on /Users/felixmichels/Projekte/vue-cli-odc/package-lock.json
2021-01-22 14:46:11,474 org.owasp.dependencycheck.AnalysisTask:90
WARN - An error occurred while analyzing '/Users/felixmichels/Projekte/vue-cli-odc/package-lock.json' (Node Audit Analyzer).
2021-01-22 14:46:11,477 org.owasp.dependencycheck.AnalysisTask:91
DEBUG -
org.owasp.dependencycheck.analyzer.exception.SearchException: Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.
at org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage(NodeAuditSearch.java:209)
at org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage(NodeAuditSearch.java:133)
at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzePackage(NodeAuditAnalyzer.java:304)
at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzeDependency(NodeAuditAnalyzer.java:187)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
2021-01-22 14:46:11,477 org.owasp.dependencycheck.Engine:630
INFO - Finished Node Audit Analyzer (1 seconds)
.
.
.
ERROR - Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.
2021-01-22 14:46:29,343 org.owasp.dependencycheck.App:209
DEBUG - unexpected error
org.owasp.dependencycheck.analyzer.exception.SearchException: Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.
at org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage(NodeAuditSearch.java:209)
at org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage(NodeAuditSearch.java:133)
at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzePackage(NodeAuditAnalyzer.java:304)
at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzeDependency(NodeAuditAnalyzer.java:187)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
2021-01-22 14:46:29,343 org.owasp.dependencycheck.utils.Settings:759
DEBUG - Deleting ALL temporary files from `/var/folders/w2/6j80xzbx4l10kszwf46k5qc80000gn/T/dctemp91f06145-cdbb-4b67-a51c-43c61fc1b3cb`
2021-01-22 14:46:29,350 org.owasp.dependencycheck.App:82
DEBUG - Exit code: -14
Payload (redacted)
```{
"name":"vue-cli-odc",
"version":"0.1.0",
"requires":{
"core-js":"^3.6.5",
"vue":"^2.6.11",
"@vue/cli-plugin-babel":"~4.5.0",
"@vue/cli-plugin-eslint":"~4.5.0",
"@vue/cli-service":"~4.5.0",
"babel-eslint":"^10.1.0",
"eslint":"^6.7.2",
"eslint-plugin-vue":"^6.2.2",
"vue-template-compiler":"^2.6.11"
},
"dependencies":{
"@vue/cli-service":{
"version":"4.5.10",
"integrity":"sha512-HnVkbc+Zb6J1lu0ojuKC6aQ4PjCW2fqlJE0G9Zqg+7VsUZ2e15UVRoIXj2hcIWtQiFF6n2FDxEkvZLslht9rkg==",
"requires":{
// redacted
"url-loader":"^2.2.0",
"vue-loader":"^15.9.2",
"vue-loader-v16":"npm:vue-loader@^16.1.0",
"vue-style-loader":"^4.1.2",
"webpack":"^4.0.0",
"webpack-bundle-analyzer":"^3.8.0",
"webpack-chain":"^6.4.0",
"webpack-dev-server":"^3.11.0",
"webpack-merge":"^4.2.2"
},
"dependencies":{
// redacted
}
},
},
"install":[
],
"remove":[
],
"metadata":{
"npm_version":"6.9.0",
"node_version":"v10.5.0",
"platform":"linux"
}
}
```
To Reproduce
Steps to reproduce the behavior:
- Clone repository https://github.com/umbertooo/vue-cli-odc
- Run script
dependency-check.sh - See error
Expected behavior
I expected the dependency scan to complete successfully.
umbertooo
All 2 comments
I had the same issue. Had to downgrade to @vue/cli-service 4.4.6 which doesn't use aliases
IuliaUngur
on 2 Feb 2021
I run the dependency check with the option --nodeAuditSkipDevDependencies. This skips node audit for all devDependencies. DevDependencies like the Vue CLI Service are not part of the production code so I'm fine with this workaround. However this bug would be a problem if it would happen the same way with "normal" dependencies using aliases.
Problem happens also with release 6.1.0
umbertooo
on 3 Feb 2021
Related issues
gwsu2008
路
3Comments
mikehalmamoj
路
4Comments
chadlwilson
路
3Comments
benji
路
3Comments
agisbert
路
4Comments
Most helpful comment
I run the dependency check with the option
--nodeAuditSkipDevDependencies. This skips node audit for all devDependencies. DevDependencies like the Vue CLI Service are not part of the production code so I'm fine with this workaround. However this bug would be a problem if it would happen the same way with "normal" dependencies using aliases.Problem happens also with release 6.1.0