search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.45k stars 1.28k forks source link

Please add an npm audit URL as an argument #2423

Open ronabop opened 4 years ago

ronabop commented 4 years ago

Is your feature request related to a problem? Please describe. Due to multiple, repeated historical problems (ex. https://github.com/jeremylong/DependencyCheck/issues/1685 ) where npmjs.org may be over capacity, or unavailable, or misconfigured, or denied due to security policy, I would like to use a different URL, one where I can have internally available/hosted/cached files.

Describe the solution you'd like A command line argument, something like: --npmAuditURL (Default value https://registry.npmjs.org/-/npm/v1/security/audits )

This would allow me to use an internal server.

Describe alternatives you've considered Doing deep packet inspection on all traffic to rewrite the URL. Setting a /etc/hosts and doing rewriting/masquerading on a proxy to the source.

Additional context https://github.com/jeremylong/DependencyCheck/issues/1685 https://github.com/jeremylong/DependencyCheck/pull/1891 https://github.com/jeremylong/DependencyCheck/issues/1845

jeremylong commented 4 years ago

You can set this today using JAVA_OPTS:

export JAVA_OPTS="$JAVA_OPTS -Danalyzer.node.audit.url=https://registry.npmjs.org/-/npm/v1/security/audits"
ronabop commented 4 years ago

JAVA_OPTS didn't work in my particular setup (using jenkins pipeline, invoking dependency-check as a tool). Since the tool logged that JAVA_TOOL_OPTIONS were being loaded, I could set a value there (and since it's for an artifactory server, had to use a virtual repository): -Danalyzer.node.audit.url=https://artifactory.example.com/api/npm/npmjs-virtual/-/npm/v1/security/audits

nfalco79 commented 2 years ago

we get the same requirement, artifactory supports npm audit since 6.10 and we would use it instead of internet connection to avoid build fails again and again because of network issues (as happens at time of writing).

pteichner commented 1 year ago

It would be great to understand how to do this - currently we have Nexus OSS that mirror NPM Central

jeremylong commented 1 year ago

If using the CLI - besides the JAVA_OPTS mechanism - you can create a properties file containing

analyzer.node.audit.url=https://artifactory.example.com/api/npm/npmjs-virtual/-/npm/v1/security/audits

And then use the --propertyfile argument.