search

etnetera / owasp-dependency-check

MIT License
6 stars 12 forks source link

Failure to fetch JSON? #13

Closed MarkMoirIto closed 2 weeks ago

MarkMoirIto commented 1 year ago

We're using the owasp-dependency-check in a CI pipeline. The error we're getting isn't happening every time.

`> owasp-dependency-check --project "Project101" --scan src --scan node_modules --exclude dependency-check-bin --failOnCVSS 7 --disableYarnAudit --nodePackageSkipDevDependencies --nodeAuditSkipDevDependencies --data=/tmp/dependency-check-data

owasp-dependency-check: No Dependency-Check Core executable found. Downloading into: /builds/transit/feature_explorer-client/dependency-check-bin

/builds/transit/feature_explorer-client/node_modules/owasp-dependency-check/lib/utils.js:75

const asset = json.assets.find(a => NAME_RE.test(a.name)); ^ TypeError: Cannot read properties of undefined (reading 'find') at install (/builds/transit/feature_explorer-client/node_modules/owasp-dependency-check/lib/utils.js:75:29) at processTicksAndRejections (node:internal/process/task_queues:96:5) at async run (/builds/transit/feature_explorer-client/node_modules/owasp-dependency-check/lib/dependency-check.js:55:5)

Cleaning up project directory and file based variables

00:01 ERROR: Job failed: exit code 1`

Sorry if that isn't formatted very nicely. Ultimately the line const asset = json.assets.find(a => NAME_RE.test(a.name)); is saying that assets can't be found.

Looking at the code, it seems that the JSON which is being fetched from 'https://api.github.com/repos/jeremylong/DependencyCheck/releases/latest' is not always returning the expected JSON file/contents. The assets property isn't in the returned JSON.

Anyone else experience this? Certainly from the browser, visiting the 'https://api.github.com/repos/jeremylong/DependencyCheck/releases/latest' page always shows the expected JSON.

jameslafferty commented 1 year ago

@MarkMoirIto I ran into this issue as well. I'm not super happy about having to maintain the dependency check myself, but setting the OWASP_BIN environment variable let me work around it.

For reference, I figured out the workaround after reviewing this line in the source code: https://github.com/etnetera/owasp-dependency-check/blob/29ab64167513d9f8a05dc5108586ce1906bd3c70/lib/dependency-check.js#L43

centi commented 2 weeks ago

If the JSON response is occasionally not as expected, I cannot do much. But I added some logging to the download/install process, so if this happens again, there should be more information about the cause.

The logging is in 0.0.23.