search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.39k stars 1.27k forks source link

Node Audit Analysis fails with large package-lock.json (>1MB) #2084

Open kessenich opened 5 years ago

kessenich commented 5 years ago

Describe the bug Dependency Check fails on Node Audit Analysis with an error, when the package-lock.json size is more than 1 MB.

Version of dependency-check used The problem occurs using version 5.1.1 of the the cli

Log file Unfortunately the log file is to huge for uploading it with more than 300MB. But, I have a gist with an example package.json and package-lock.json for tests: https://gist.github.com/kessenich/ff21cbe3e9d7d989fab43a699d507111

To Reproduce Steps to reproduce the behavior:

  1. Create a large package-lock.json
  2. Run sh dependency-check/bin/dependency-check.sh -s . --disableAssembly --disableBundleAudit --disableRetireJS -o report.html -l log.txt
  3. Console log 
    [ERROR] NodeAuditAnalyzer failed on /mnt/c/dev/TEST/depcheck/package-lock.json
[WARN] An error occurred while analyzing '/mnt/c/dev/TEST/depcheck/package-lock.json' (Node Audit Analyzer).
[...]
[ERROR] Could not perform Node Audit analysis - service returned a 503.

Expected behavior Dependency check runs without errors

Additional context When I run npm audit everything works fine. When I delete randomly a few packages from the package.json than the dependency check works fine.

viczt commented 4 years ago

I have similar issue DEBUG - Could not connect to Node Audit API. Received response code: 500 Internal Server Error npm audit works fine npm: '6.14.8'

debug.log

piotrpatrzek commented 3 years ago

same situation :[ERROR] NodeAuditAnalyzer failed on /opt/atlassian/pipelines/agent/build/package-lock.json

aurelienchapinseite commented 3 years ago

Hi, I created an issue with the NPM support, and the problem has been fixed.
There was a timeout on the npm audit endpoint used by the OWASP dependency check projet (https://registry.npmjs.org/-/npm/v1/security/audits) too short for the processing of a heavy package-lock.json. They extended the timeout and the error is gone.

chloepa commented 3 years ago

Hi, I am also facing this issue but the package-lock.json is only 700KB. Is there any solution to this?

dependency check version: 6.2.2 Error faced in both CI and local image (3) image (4)

RussellLMiller commented 3 years ago

I am also intermittently having the same issue as @chloepa. I'm using the Azure DevOps task and that error occurs 2/10 times I run my OWASP check on my build servers.

The package-lock.json file's size is only 2.1 KB for my scan.

Unfortunately I don't have any additional information as when I try and get verbose output from the servers it causes the task to run for 90+ minutes and then my build times out when it normally takes around 10-15 minutes for the OWASP scan to run.

Any assistance or guidance on things to try would be appreciated.

Flavien-Pensato commented 2 years ago

Hi, I created an issue with the NPM support, and the problem has been fixed. There was a timeout on the npm audit endpoint used by the OWASP dependency check projet (https://registry.npmjs.org/-/npm/v1/security/audits) too short for the processing of a heavy package-lock.json. They extended the timeout and the error is gone.

Can you tell which version fix the issue ?

natewallis commented 2 years ago

@aurelienchapinseite Could you let me know how you solved this issue here? I experienced this issue today (May, 2022) with the following versions: Depdendency-Check: 7.1.0 NPM: 8.10.0

pk27734 commented 1 year ago

I'm also seeing this issue on Azure DevOps, when analyzing a Vite project. Any suggestions?