Closed groovecoder closed 5 years ago
@groovecoder Could you try running npm audit --json
twice in a row and see if you get different results?
So far, I am unable to reproduce this error. Do you have an example project I could try running this against to see if I can reproduce it and develop a test case?
Hmm ... I'm unable to reproduce now. May have been a fluke of my shell session. Sorry for bug-noise.
Thanks for the feedback!!
Sorry for the issue necromancy, but FWIW we're encountering this issue on our Jenkins server today as well.
+ npx npm-audit-ci-wrapper --threshold=high --ignore-dev-dependencies
npx: installed 2 in 1.457s
/var/lib/jenkins/.npm/_npx/21435/lib/node_modules/npm-audit-ci-wrapper/lib/parser.js:34
let advisories = Object.entries(data.advisories);
^
TypeError: Cannot convert undefined or null to object
at Function.entries (<anonymous>)
at parse_audit_results (/var/lib/jenkins/.npm/_npx/21435/lib/node_modules/npm-audit-ci-wrapper/lib/parser.js:34:29)
at exec (/var/lib/jenkins/.npm/_npx/21435/lib/node_modules/npm-audit-ci-wrapper/bin/index.js:39:36)
at ChildProcess.exithandler (child_process.js:301:5)
at ChildProcess.emit (events.js:189:13)
at maybeClose (internal/child_process.js:970:16)
at Process.ChildProcess._handle.onexit (internal/child_process.js:259:5)
script returned exit code 1
Same here:
/c/dev/vbl-callback-service/app/node_modules/npm-audit-ci-wrapper/lib/parser.js:34
let advisories = Object.entries(data.advisories);
^
TypeError: Cannot convert undefined or null to object
at Function.entries (<anonymous>)
at parse_audit_results (/c/dev/vbl-callback-service/app/node_modules/npm-audit-ci-wrapper/lib/parser.js:34:29)
at exec (/c/dev/vbl-callback-service/app/node_modules/npm-audit-ci-wrapper/bin/index.js:39:36)
at ChildProcess.exithandler (child_process.js:301:5)
at ChildProcess.emit (events.js:189:13)
at maybeClose (internal/child_process.js:970:16)
at Process.ChildProcess._handle.onexit (internal/child_process.js:259:5)
Result of npm audit --json
:
$ npm audit --json
{
"actions": [
{
"action": "update",
"module": "ecstatic",
"depth": 2,
"target": "3.3.2",
"resolves": [
{
"id": 830,
"path": "http-server>ecstatic",
"dev": true,
"optional": false,
"bundled": false
}
]
},
{
"action": "update",
"module": "tar",
"depth": 4,
"target": "2.2.2",
"resolves": [
{
"id": 803,
"path": "@angular-devkit/build-angular>node-sass>node-gyp>tar",
"dev": true,
"optional": true,
"bundled": false
}
]
}
],
"advisories": {
"803": {
"findings": [
{
"version": "2.2.1",
"paths": [
"@angular-devkit/build-angular>node-sass>node-gyp>tar"
],
"dev": true,
"optional": true,
"bundled": false
}
],
"id": 803,
"created": "2019-04-04T03:31:56.572Z",
"updated": "2019-04-12T15:52:56.353Z",
"deleted": null,
"title": "Arbitrary File Overwrite",
"found_by": {
"link": "",
"name": "Max Justicz"
},
"reported_by": {
"link": "",
"name": "Max Justicz"
},
"module_name": "tar",
"cves": [],
"vulnerable_versions": "<4.4.2",
"patched_versions": ">=4.4.2",
"overview": "Versions of `tar` prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.",
"recommendation": "Upgrade to version 4.4.2 or later.",
"references": "- [HackerOne Report](https://hackerone.com/reports/344595)",
"access": "public",
"severity": "high",
"cwe": "CWE-59",
"metadata": {
"module_type": "",
"exploitability": 5,
"affected_components": ""
},
"url": "https://npmjs.com/advisories/803"
},
"830": {
"findings": [
{
"version": "3.3.1",
"paths": [
"http-server>ecstatic"
],
"dev": true,
"optional": false,
"bundled": false
}
],
"id": 830,
"created": "2019-04-23T14:56:48.369Z",
"updated": "2019-05-03T14:28:33.676Z",
"deleted": null,
"title": "Open Redirect",
"found_by": {
"link": "",
"name": "Mario Casola"
},
"reported_by": {
"link": "",
"name": "Mario Casola"
},
"module_name": "ecstatic",
"cves": [],
"vulnerable_versions": "<2.2.2 || >=3.0.0 <3.3.2 || >=4.0.0 <4.1.2",
"patched_versions": ">=2.2.2 <3.0.0 || >=3.3.2 <4.0.0 || >=4.1.2",
"overview": "Versions of `ecstatic` prior to 4.1.2, 3.3.2 or 2.2.2 are vulnerable to Open Redirect. The package fails to validate redirects, allowing attackers to craft requests that result in an `HTTP 301` redirect to any other domains.",
"recommendation": "If using `ecstatic` 4.x, upgrade to 4.1.2 or later.\nIf using `ecstatic` 3.x, upgrade to 3.3.2 or later.\nIf using `ecstatic` 2.x, upgrade to 2.2.2 or later.",
"references": "",
"access": "public",
"severity": "high",
"cwe": "CWE-601",
"metadata": {
"module_type": "",
"exploitability": 5,
"affected_components": ""
},
"url": "https://npmjs.com/advisories/830"
}
},
"muted": [],
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 2,
"critical": 0
},
"dependencies": 7610,
"devDependencies": 54677,
"optionalDependencies": 2768,
"totalDependencies": 62579
},
"runId": "1a0df5cf-d4ea-459f-ab3c-e9ffe3bd684a"
}
When I try to run the ci wrapper command twice in a row, it fails?