search

RetireJS / retire.js

scanner detecting the use of JavaScript libraries with known vulnerabilities. Can also generate an SBOM of the libraries it finds.
https://retirejs.github.io/retire.js/
Other
3.66k stars 414 forks source link

Python version incompatibility in sharp package #306

Closed maxpain closed 5 years ago

maxpain commented 5 years ago

Retire.js version: (retire --version): 2.0.2 node version: (node --version): 11.15.0 Type: Bug Description: I'm trying to use GitLab AutoDevOps Dependency scanning on my node.js project with npm. I have sharp package in my package.json, seems like it is python version incompatibility. When I remove sharp package, Installing dependencies works fine.

Status: Downloaded newer image for registry.gitlab.com/gitlab-org/security-products/analyzers/retire.js:2
Found project in /tmp/app
Using python 3
Installing dependencies...

> uws@9.14.0 install /tmp/app/node_modules/uws
> node-gyp rebuild > build_log.txt 2>&1 || exit 0

> husky@3.0.8 install /tmp/app/node_modules/husky
> node husky install

husky > Setting up git hooks
husky > Done

> sharp@0.23.1 install /tmp/app/node_modules/sharp
> (node install/libvips && node install/dll-copy && prebuild-install) || (node-gyp rebuild && node install/dll-copy)

info sharp Downloading https://github.com/lovell/sharp-libvips/releases/download/v8.8.1/libvips-8.8.1-linuxmusl-x64.tar.gz
prebuild-install WARN install No prebuilt binaries found (target=11.15.0 runtime=node arch=x64 libc=musl platform=linux)
gyp ERR! configure error 
gyp ERR! stack Error: Command failed: /usr/bin/python3 -c import sys; print "%s.%s.%s" % sys.version_info[:3];
gyp ERR! stack   File "<string>", line 1
gyp ERR! stack     import sys; print "%s.%s.%s" % sys.version_info[:3];
gyp ERR! stack                                ^
gyp ERR! stack SyntaxError: invalid syntax
gyp ERR! stack 
gyp ERR! stack     at ChildProcess.exithandler (child_process.js:299:12)
gyp ERR! stack     at ChildProcess.emit (events.js:193:13)
gyp ERR! stack     at maybeClose (internal/child_process.js:999:16)
gyp ERR! stack     at Socket.stream.socket.on (internal/child_process.js:403:11)
gyp ERR! stack     at Socket.emit (events.js:193:13)
gyp ERR! stack     at Pipe._handle.close (net.js:614:12)
gyp ERR! System Linux 4.15.0-52-generic
gyp ERR! command "/usr/local/bin/node" "/usr/local/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "rebuild"
gyp ERR! cwd /tmp/app/node_modules/sharp
gyp ERR! node -v v11.15.0
gyp ERR! node-gyp -v v3.8.0
gyp ERR! not ok 
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! sharp@0.23.1 install: `(node install/libvips && node install/dll-copy && prebuild-install) || (node-gyp rebuild && node install/dll-copy)`
npm ERR! Exit status 1
npm ERR! 
npm ERR! Failed at the sharp@0.23.1 install script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR!     /.npm/_logs/2019-10-04T15_32_14_947Z-debug.log
ERROR: Could not find dependencies: sharp. You may need to run npm install
2019/10/04 15:32:21 exit status 1
2019/10/04 15:32:25 Container exited with non zero status code
Uploading artifacts...
WARNING: gl-dependency-scanning-report.json: no matching files 
ERROR: No files to upload                          
ERROR: Job failed: exit code 1
eoftedal commented 5 years ago

This needs to be reported to gitlab. There are no python dependencies in retire.js, so this must be related to something gitlab is doing.