search

InfoSec812 / npm-audit-ci-wrapper

A wrapper for 'npm audit' which can be configurable for use in a CI/CD tool like Jenkins
Apache License 2.0
13 stars 11 forks source link

Execution fails when running a 2nd time, with TypeError: Cannot convert undefined or null to object #25

Closed groovecoder closed 5 years ago

groovecoder commented 5 years ago

When I try to run the ci wrapper command twice in a row, it fails?

groovetop:blurts-server lcrouch$ npm-audit-ci-wrapper -t 'low'
There are vulnerable dependencies which exceed the selected threshold and scope:
                            braces(1.8.5               ): https://www.npmjs.com/advisories/786               (low >= low)

groovetop:blurts-server lcrouch$ npm-audit-ci-wrapper -t 'low'
/Users/lcrouch/code/mozilla/blurts-server/node_modules/npm-audit-ci-wrapper/lib/parser.js:34
    let advisories = Object.entries(data.advisories);
                            ^

TypeError: Cannot convert undefined or null to object
    at Function.entries (<anonymous>)
    at parse_audit_results (/Users/lcrouch/code/mozilla/blurts-server/node_modules/npm-audit-ci-wrapper/lib/parser.js:34:29)
    at exec (/Users/lcrouch/code/mozilla/blurts-server/node_modules/npm-audit-ci-wrapper/bin/index.js:39:36)
    at ChildProcess.exithandler (child_process.js:279:5)
    at ChildProcess.emit (events.js:159:13)
    at maybeClose (internal/child_process.js:943:16)
    at Socket.stream.socket.on (internal/child_process.js:363:11)
    at Socket.emit (events.js:159:13)
    at Pipe._handle.close [as _onclose] (net.js:568:12)
InfoSec812 commented 5 years ago

@groovecoder Could you try running npm audit --json twice in a row and see if you get different results?

InfoSec812 commented 5 years ago

So far, I am unable to reproduce this error. Do you have an example project I could try running this against to see if I can reproduce it and develop a test case?

groovecoder commented 5 years ago

Hmm ... I'm unable to reproduce now. May have been a fluke of my shell session. Sorry for bug-noise.

InfoSec812 commented 5 years ago

Thanks for the feedback!!

tehshane commented 5 years ago

Sorry for the issue necromancy, but FWIW we're encountering this issue on our Jenkins server today as well.

+ npx npm-audit-ci-wrapper --threshold=high --ignore-dev-dependencies
npx: installed 2 in 1.457s
/var/lib/jenkins/.npm/_npx/21435/lib/node_modules/npm-audit-ci-wrapper/lib/parser.js:34
    let advisories = Object.entries(data.advisories);
                            ^
TypeError: Cannot convert undefined or null to object
    at Function.entries (<anonymous>)
    at parse_audit_results (/var/lib/jenkins/.npm/_npx/21435/lib/node_modules/npm-audit-ci-wrapper/lib/parser.js:34:29)
    at exec (/var/lib/jenkins/.npm/_npx/21435/lib/node_modules/npm-audit-ci-wrapper/bin/index.js:39:36)
    at ChildProcess.exithandler (child_process.js:301:5)
    at ChildProcess.emit (events.js:189:13)
    at maybeClose (internal/child_process.js:970:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:259:5)
script returned exit code 1
danielmorlock commented 5 years ago

Same here: 

/c/dev/vbl-callback-service/app/node_modules/npm-audit-ci-wrapper/lib/parser.js:34
    let advisories = Object.entries(data.advisories);
                            ^

TypeError: Cannot convert undefined or null to object
    at Function.entries (<anonymous>)
    at parse_audit_results (/c/dev/vbl-callback-service/app/node_modules/npm-audit-ci-wrapper/lib/parser.js:34:29)
    at exec (/c/dev/vbl-callback-service/app/node_modules/npm-audit-ci-wrapper/bin/index.js:39:36)
    at ChildProcess.exithandler (child_process.js:301:5)
    at ChildProcess.emit (events.js:189:13)
    at maybeClose (internal/child_process.js:970:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:259:5)

Result of npm audit --json: 

 $ npm audit --json
{
  "actions": [
    {
      "action": "update",
      "module": "ecstatic",
      "depth": 2,
      "target": "3.3.2",
      "resolves": [
        {
          "id": 830,
          "path": "http-server>ecstatic",
          "dev": true,
          "optional": false,
          "bundled": false
        }
      ]
    },
    {
      "action": "update",
      "module": "tar",
      "depth": 4,
      "target": "2.2.2",
      "resolves": [
        {
          "id": 803,
          "path": "@angular-devkit/build-angular>node-sass>node-gyp>tar",
          "dev": true,
          "optional": true,
          "bundled": false
        }
      ]
    }
  ],
  "advisories": {
    "803": {
      "findings": [
        {
          "version": "2.2.1",
          "paths": [
            "@angular-devkit/build-angular>node-sass>node-gyp>tar"
          ],
          "dev": true,
          "optional": true,
          "bundled": false
        }
      ],
      "id": 803,
      "created": "2019-04-04T03:31:56.572Z",
      "updated": "2019-04-12T15:52:56.353Z",
      "deleted": null,
      "title": "Arbitrary File Overwrite",
      "found_by": {
        "link": "",
        "name": "Max Justicz"
      },
      "reported_by": {
        "link": "",
        "name": "Max Justicz"
      },
      "module_name": "tar",
      "cves": [],
      "vulnerable_versions": "<4.4.2",
      "patched_versions": ">=4.4.2",
      "overview": "Versions of `tar` prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.",
      "recommendation": "Upgrade to version 4.4.2 or later.",
      "references": "- [HackerOne Report](https://hackerone.com/reports/344595)",
      "access": "public",
      "severity": "high",
      "cwe": "CWE-59",
      "metadata": {
        "module_type": "",
        "exploitability": 5,
        "affected_components": ""
      },
      "url": "https://npmjs.com/advisories/803"
    },
    "830": {
      "findings": [
        {
          "version": "3.3.1",
          "paths": [
            "http-server>ecstatic"
          ],
          "dev": true,
          "optional": false,
          "bundled": false
        }
      ],
      "id": 830,
      "created": "2019-04-23T14:56:48.369Z",
      "updated": "2019-05-03T14:28:33.676Z",
      "deleted": null,
      "title": "Open Redirect",
      "found_by": {
        "link": "",
        "name": "Mario Casola"
      },
      "reported_by": {
        "link": "",
        "name": "Mario Casola"
      },
      "module_name": "ecstatic",
      "cves": [],
      "vulnerable_versions": "<2.2.2 || >=3.0.0 <3.3.2 || >=4.0.0 <4.1.2",
      "patched_versions": ">=2.2.2 <3.0.0 || >=3.3.2 <4.0.0 || >=4.1.2",
      "overview": "Versions of `ecstatic` prior to 4.1.2, 3.3.2 or 2.2.2 are vulnerable to Open Redirect. The package fails to validate redirects, allowing attackers to craft requests that result in an `HTTP 301` redirect to any other domains.",
      "recommendation": "If using `ecstatic` 4.x, upgrade to 4.1.2 or later.\nIf using `ecstatic` 3.x, upgrade to 3.3.2 or later.\nIf using `ecstatic` 2.x, upgrade to 2.2.2 or later.",
      "references": "",
      "access": "public",
      "severity": "high",
      "cwe": "CWE-601",
      "metadata": {
        "module_type": "",
        "exploitability": 5,
        "affected_components": ""
      },
      "url": "https://npmjs.com/advisories/830"
    }
  },
  "muted": [],
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 0,
      "high": 2,
      "critical": 0
    },
    "dependencies": 7610,
    "devDependencies": 54677,
    "optionalDependencies": 2768,
    "totalDependencies": 62579
  },
  "runId": "1a0df5cf-d4ea-459f-ab3c-e9ffe3bd684a"
}