Closed MarkMoirIto closed 2 weeks ago
@MarkMoirIto I ran into this issue as well. I'm not super happy about having to maintain the dependency check myself, but setting the OWASP_BIN environment variable let me work around it.
For reference, I figured out the workaround after reviewing this line in the source code: https://github.com/etnetera/owasp-dependency-check/blob/29ab64167513d9f8a05dc5108586ce1906bd3c70/lib/dependency-check.js#L43
If the JSON response is occasionally not as expected, I cannot do much. But I added some logging to the download/install process, so if this happens again, there should be more information about the cause.
The logging is in 0.0.23.
We're using the owasp-dependency-check in a CI pipeline. The error we're getting isn't happening every time.
`> owasp-dependency-check --project "Project101" --scan src --scan node_modules --exclude dependency-check-bin --failOnCVSS 7 --disableYarnAudit --nodePackageSkipDevDependencies --nodeAuditSkipDevDependencies --data=/tmp/dependency-check-data
owasp-dependency-check: No Dependency-Check Core executable found. Downloading into: /builds/transit/feature_explorer-client/dependency-check-bin
/builds/transit/feature_explorer-client/node_modules/owasp-dependency-check/lib/utils.js:75
const asset = json.assets.find(a => NAME_RE.test(a.name)); ^ TypeError: Cannot read properties of undefined (reading 'find') at install (/builds/transit/feature_explorer-client/node_modules/owasp-dependency-check/lib/utils.js:75:29) at processTicksAndRejections (node:internal/process/task_queues:96:5) at async run (/builds/transit/feature_explorer-client/node_modules/owasp-dependency-check/lib/dependency-check.js:55:5)
Cleaning up project directory and file based variables
00:01 ERROR: Job failed: exit code 1`
Sorry if that isn't formatted very nicely. Ultimately the line
const asset = json.assets.find(a => NAME_RE.test(a.name));
is saying that assets can't be found.Looking at the code, it seems that the JSON which is being fetched from 'https://api.github.com/repos/jeremylong/DependencyCheck/releases/latest' is not always returning the expected JSON file/contents. The assets property isn't in the returned JSON.
Anyone else experience this? Certainly from the browser, visiting the 'https://api.github.com/repos/jeremylong/DependencyCheck/releases/latest' page always shows the expected JSON.