search

etnetera / owasp-dependency-check

MIT License
6 stars 12 forks source link

JavaScript code is not analyzed, not even in the most basic setup #3

Closed Muzietto closed 2 years ago

Muzietto commented 2 years ago

Already asked on Stack Overflow without result . Re-trying here...

I am trying to use the NPM module owasp-dependency-check in order to highlight possible vulnerabilities in the code of my web project. I have installed version 0.0.18, the latest.

I want to analyse the custom code I wrote (directory src) and the libraries my project depends on (directory node_modules).

The task in package.json (section scripts) reads:

"test:dependency": "owasp-dependency-check --project \"MY_PROJECT\" --scan \"src\" --scan \"node_modules\" --exclude \"dependency-check-bin\" --out \"owasp\" --format HTML"

After the launch, it seems that the instructions have been specified correctly:

owasp-dependency-check: Running the dependency check ...
/home/workspace/MY_PROJECT/dependency-check-bin/dependency-check/bin/dependency-check.sh --out=owasp --project MY_PROJECT --scan src --scan node_modules --exclude dependency-check-bin --format HTML --data=/tmp/dependency-check-data

After about 10 minutes of execution, I find a file owasp/dependency-check-report.html with size of 61MB (!?!). I view it in the browser and it contains the analysis of the sole directory dependency-check-bin, which is the directory where the owasp-dependency-check NPM module installs some executables and which I explicitly try to skip in the analysis.

dependency-check-report

(ironically, there are 6 medium-to-critical vulnerabilities in the libraries that the dependency checker itself uses...)

My question is: what is wrong with my task definition in package.json? How should I invoke owasp-dependency-check in order to scan node_modules and src?

centi commented 2 years ago

Hi. I will check it out. In the meantime, you could try an workaround by specifying the bin CLI option and setting it to some folder outside your project. The check module will then use this path to download the dependency check CLI to.

centi commented 2 years ago

But if your project is a Node.js project (you mention node_modules), then I thing a better option is to specify --scan=package-lock.json. Every NPM dependency you have, should be in this file and the check will be much faster.

centi commented 2 years ago

And how do you know, that your project is not analyzed? Do you expect there to be some vulnerabilities, which you do not see in the report (beside the ones from the owasp bin itself right now)?

Muzietto commented 2 years ago

But if your project is a Node.js project (you mention node_modules), then I thing a better option is to specify --scan=package-lock.json. Every NPM dependency you have, should be in this file and the check will be much faster.

I followed your advice and it worked!! On top of that, the directory dependency-check-bin was ignored.

Thank you very much.

Sravana-Synthesis commented 4 months ago

Is it necessary to scan node_modules as well?