Download of dependency-check with "latest" option does not work since release 9.0.10

[dengelkecap]

Since dependency-check cli release 9.0.10 (https://github.com/jeremylong/DependencyCheck/releases/tag/v9.0.10) the automatic download of the latest version does not work anymore.

owasp-dependency-check: No Dependency-Check Core executable found. Downloading into: C:\...\dependency-check-bin
C:\...\node_modules\owasp-dependency-check\lib\utils.js:77
    url: asset.browser_download_url,
               ^

TypeError: Cannot read properties of undefined (reading 'browser_download_url')
    at install (C:\...\node_modules\owasp-dependency-check\lib\utils.js:77:16)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async run (C:\...\node_modules\owasp-dependency-check\lib\dependency-check.js:55:5)

Node.js v20.11.1

This might be due to an incompatible regular expression to determine the download URL:

const NAME_RE = /^dependency\-check\-\d\.\d\.\d\-release\.zip$/;

This regex will only recognize single digit release numbers

This could be fixed by enhancing the regex to

/^dependency\-check\-\d+\.\d+\.\d+\-release\.zip$/

[vincego]

FWIW I use npm run check:owasp -- --odc-version v9.0.9 as a workaround

[Rishabh-dipsite]

Here is the PR for it. https://github.com/etnetera/owasp-dependency-check/pull/24

[damonhnz]

FWIW I use npm run check:owasp -- --odc-version v9.0.9 as a workaround

Note that the --odc-version parameter was added since the last release version (0.0.21) so this workaround only works if you're using it from source.

[vincego]

FWIW I use npm run check:owasp -- --odc-version v9.0.9 as a workaround

Note that the --odc-version parameter was added since the last release version (0.0.21) so this workaround only works if you're using it from source.

Absolutely, I had to replace "owasp-dependency-check": "0.0.21" with "owasp-dependency-check": "etnetera/owasp-dependency-check" in package.json in order to use this new option.

[martin-traverse]

Please is it possible to get the PR merged and a version published to NPM? We really should be using a published version which includes the fix. Linking compliance jobs in CI to a branch on GitHub that can change at any time, then passing a flag to prevent the dependency checker from being updated, none of this is really in the spirit of what the tool is trying to achieve!

This is such a handy little package, getting the update published would really extend its lifespan.

[vincego]

Version 9.1.0 of dependency-check has been released, we should be able to use latest version with master branch again (at least until 9.1.10 or 10.0.0).

[martin-traverse]

Version 10.0.0 of the core dependency check binaries were just release, this package is not going to work again now until this issue is resolved.

[vincego]

Since PR#23 merge (05/26/2024) and still using "owasp-dependency-check": "etnetera/owasp-dependency-check" in package.json, I was able to switch back to latest version of dependency-check with npm run check:owasp. Just be sure to update package properly using npm update owasp-dependency-check (changes commit hash in package-lock.json). Still waiting for NPM release though!

[martin-traverse]

Agreed. I have made it work by pointing directly at GitHub, but for a dependency checking tool, there really should be a versioned and released package! Especially given the news recently about using the tool chain as an attack vector - I know this is a much simpler case, but the principle applies I think.

[centi]

PR #25 is merged and version 0.22 is out. The new RE should work with multidigit versions of the binary.