Closed SharkMachine closed 1 year ago
Hello @SharkMachine Thanks for your report!
Looks like problem is with your package.json
file which is next to the yarn.lock
file.
This package.json
file doesn't have Name
or Version
field.
Can you send wrong files for investigation or check yourself?
Regards, Dmitriy
@DmitriyLewen Can we change it not to fail on broken package.json files? package.json
just enriches the results. We should not fail on the entire scanning. We should show warnings and keep scanning.
The same issue occurred in our project as well. Thank you for your prompt response and I hope this issue will be fixed anytime soon.
@BumpeiShimada First of all, we don't think it is our issue. We suppose your package.json has an issue. Could you share your package.json? You can remove or mask something sensitive.
@knqyf263 Thank you for the response. Since it should not be good to disclose the file publicly, I'd like to ask you some questions beforehand.
We suppose your package.json has an issue
Is the issue that the package.json file doesn't have Name
or Version
field as DmitriyLewen said above?
If so, is it enough to tell you whether our file has the fields? Or you need any other information?
@BumpeiShimada You can send you the debug log and I will try to tell you what the problem is.
@DmitriyLewen Okay. Here's the log:
2023-04-03T08:11:03.097Z INFO Need to update DB
2023-04-03T08:11:03.097Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2023-04-03T08:11:03.097Z INFO Downloading DB...
2023-04-03T08:11:04.602Z INFO Vulnerability scanning is enabled
2023-04-03T08:11:04.602Z INFO Secret scanning is enabled
2023-04-03T08:11:04.602Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-04-03T08:11:04.602Z INFO Please see also https://aquasecurity.github.io/trivy/v0.39/docs/secret/scanning/#recommendation for faster secret detection
2023-04-03T08:11:26.647Z FATAL filesystem scan error: scan error: scan failed: failed analysis: post analysis error: post analysis error: yarn walk error: unable to parse .: parse error: unable to parse package.json
@BumpeiShimada
I meant logs with --debug
flag.
As in main message.
UPD:
I checked this log. Looks like problem in Name
or Version
field.
We also experience this problem with new trivy, both "name" and "version" fields are present.
Logs:
trivy fs . --security-checks vuln --debug
2023-04-03T13:30:30.532+0300 WARN '--security-checks' is deprecated. Use '--scanners' instead.
2023-04-03T13:30:30.535+0300 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-04-03T13:30:30.542+0300 DEBUG cache dir: /home/hunter/.cache/trivy
2023-04-03T13:30:30.543+0300 DEBUG DB update was skipped because the local DB is the latest
2023-04-03T13:30:30.543+0300 DEBUG DB Schema: 2, UpdatedAt: 2023-04-03 06:07:03.052991494 +0000 UTC, NextUpdate: 2023-04-03 12:07:03.052991094 +0000 UTC, DownloadedAt: 2023-04-03 10:22:50.946824057 +0000 UTC
2023-04-03T13:30:30.544+0300 INFO Vulnerability scanning is enabled
2023-04-03T13:30:30.544+0300 DEBUG Vulnerability type: [os library]
2023-04-03T13:30:30.545+0300 DEBUG Walk the file tree rooted at '.' in parallel
2023-04-03T13:30:30.638+0300 DEBUG Start parent: com.google.protobuf:protobuf-parent:3.14.0
2023-04-03T13:30:30.639+0300 DEBUG Start parent: org.apache.commons:commons-parent:42
2023-04-03T13:30:30.645+0300 DEBUG Start parent: org.sonatype.oss:oss-parent:7
2023-04-03T13:30:30.655+0300 DEBUG Start parent: org.sonatype.oss:oss-parent:7
2023-04-03T13:30:30.688+0300 DEBUG Start parent: com.google.guava:guava-parent:26.0-android
2023-04-03T13:30:30.880+0300 DEBUG Start parent: org.sonatype.oss:oss-parent:9
2023-04-03T13:30:30.913+0300 DEBUG Start parent: org.apache:apache:18
2023-04-03T13:30:30.915+0300 DEBUG Exit parent: org.sonatype.oss:oss-parent:7
2023-04-03T13:30:30.915+0300 DEBUG Exit parent: org.sonatype.oss:oss-parent:7
2023-04-03T13:30:30.915+0300 DEBUG Resolving com.google.code.findbugs:jsr305:3.0.1...
2023-04-03T13:30:30.915+0300 DEBUG Exit parent: com.google.protobuf:protobuf-parent:3.14.0
2023-04-03T13:30:30.915+0300 DEBUG Resolving com.google.protobuf:protobuf-bom:3.14.0...
2023-04-03T13:30:30.929+0300 DEBUG Exit parent: org.sonatype.oss:oss-parent:9
2023-04-03T13:30:30.929+0300 DEBUG Exit parent: com.google.guava:guava-parent:26.0-android
2023-04-03T13:30:30.941+0300 DEBUG Exit parent: org.apache:apache:18
2023-04-03T13:30:30.942+0300 DEBUG Exit parent: org.apache.commons:commons-parent:42
2023-04-03T13:30:30.944+0300 DEBUG Start parent: org.sonatype.oss:oss-parent:7
2023-04-03T13:30:30.944+0300 DEBUG Exit parent: org.sonatype.oss:oss-parent:7
2023-04-03T13:30:30.944+0300 DEBUG Resolving org.jetbrains.kotlin:kotlin-annotations-jvm:1.3.72...
2023-04-03T13:30:30.971+0300 INFO To collect the license information of packages in "app/modules/react-native-gpgs/package-lock.json", "npm install" needs to be performed beforehand
2023-04-03T13:30:30.974+0300 INFO To collect the license information of packages in "functions/node_modules/minipass-sized/package-lock.json", "npm install" needs to be performed beforehand
2023-04-03T13:30:30.982+0300 INFO To collect the license information of packages in "functions/node_modules/protobufjs/package-lock.json", "npm install" needs to be performed beforehand
2023-04-03T13:30:31.029+0300 FATAL filesystem scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.Run
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:431
- scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:266
- scan failed:
github.com/aquasecurity/trivy/pkg/commands/artifact.scan
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:679
- failed analysis:
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
/home/runner/work/trivy/trivy/pkg/scanner/scan.go:146
- post analysis error:
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect
/home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:164
- post analysis error:
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:487
- yarn walk error:
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/yarn.yarnAnalyzer.PostAnalyze
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/nodejs/yarn/yarn.go:72
- unable to parse functions:
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/yarn.yarnAnalyzer.removeDevDependencies
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/nodejs/yarn/yarn.go:104
- parse error:
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/yarn.yarnAnalyzer.parsePackageJsonDependencies
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/nodejs/yarn/yarn.go:174
- unable to parse package.json:
github.com/aquasecurity/go-dep-parser/pkg/nodejs/packagejson.(*Parser).Parse
/home/runner/go/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20230324043952-2172dc218241/pkg/nodejs/packagejson/parse.go:39
Hello @hwo411
Can you share your package.json
file?
@DmitriyLewen actually, I found the cause. We have another project as subfolder and the error seem to be in it (but we ran trivy from the root folder).
The package.json in that project in subfolder indeed didn't have version and adding version solved the problem.
Thank you very much!
@DmitriyLewen Thanks for the quick reply. I checked my package.json file and it was missing version field. Adding it fixes the issue.
However, I'd argue that my package.json wasn't broken as Yarn itself has been fine with it and hasn't displayed any warnings.
@hwo411 , @SharkMachine I'm happy that I could help you.
However, I'd argue that my package.json wasn't broken as Yarn itself has been fine with it and hasn't displayed any warnings.
By default yarn
createы version
in `package.lock file:
➜ ~ docker run --name node --rm -it node sh
# yarn init
yarn init v1.22.19
question name: app
question version (1.0.0):
question description:
question entry point (index.js):
question repository url:
question author:
question license (MIT):
question private:
success Saved package.json
Done in 4.50s.
# cat package.json
{
"name": "app",
"version": "1.0.0",
"main": "index.js",
"license": "MIT"
}
That's why we thought package.json always included version
field.
But we created #3972 to not stop scan when errors occur in enrichment files.
@DmitriyLewen
Thank you for the help. Adding name
and version
worked in our project as well.
On the other hand, since our project neither needs nor requires them, it would be very nice if v0.39.1, the version including the fix will be released soon.
Thank you very much again for your prompt reactions!
v0.39.1 should address this issue.
Still running into said error with trivy 0.40.0
Hello @Betriebsrat
Can you share you yarn.lock
+ package.json
file to check this?
Description
Running
trivy fs --scanners vuln --skip-dirs "node_modules,vendor" ./
on a repository with yarn.lock and package.json files fails with fatal error.What did you expect to happen?
Vulnerability scan doesn't fail with fatal error. The same cannot be reproduced with 0.38.3, package.json parsing was added in 0.39 (#3757).
Output of run with
--debug
:Output of
trivy -v
:Additional details (base image name, container registry info...):
The same problem can be reproduced with the Debian/Ubuntu deb package version and with the Docker image.