NodeAuditSearch fails with skipped dependency

umbertooo commented 3 years ago

Describe the bug Node Audit Analyzer detects a problem and declares this dependency to be skipped: "dependency skipped: package.json contain an alias for vue-loader-v16 => vue-loader@16.1.2 npm audit doesn't support aliases" However NodeAuditSearch still posts this dependency "vue-loader-v16":"npm:vue-loader@^16.1.0" to the Node Audit API and causes the scan to fail.

2021-01-22 12:16:03,806 org.owasp.dependencycheck.analyzer.NodePackageAnalyzer:286 WARN - dependency skipped: package.json contain an alias for vue-loader-v16 => vue-loader@16.1.2 npm audit doesn't support aliases

Version of dependency-check used Dependency Check Command Line

dependency-check --version
Dependency-Check Core version 6.0.5

Log file

WARN  - dependency skipped: package.json contain an alias for vue-loader-v16 => vue-loader@16.1.2 npm audit doesn't support aliases
2021-01-22 14:46:10,351 org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch:151
DEBUG - ----------------------------------------
2021-01-22 14:46:10,351 org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch:152
DEBUG - Node Audit Payload:
2021-01-22 14:46:10,366 org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch:153
DEBUG - // *** SEE PAYLOAD BELOW ***
2021-01-22 14:46:10,367 org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch:154
DEBUG - ----------------------------------------
2021-01-22 14:46:10,367 org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch:155
DEBUG - ----------------------------------------
2021-01-22 14:46:10,527 org.owasp.dependencycheck.utils.SSLSocketFactoryEx:283
DEBUG - Available Protocols:
2021-01-22 14:46:10,527 org.owasp.dependencycheck.utils.SSLSocketFactoryEx:285
DEBUG - SSLv2Hello
2021-01-22 14:46:10,527 org.owasp.dependencycheck.utils.SSLSocketFactoryEx:285
DEBUG - SSLv3
2021-01-22 14:46:10,527 org.owasp.dependencycheck.utils.SSLSocketFactoryEx:285
DEBUG - TLSv1
2021-01-22 14:46:10,527 org.owasp.dependencycheck.utils.SSLSocketFactoryEx:285
DEBUG - TLSv1.1
2021-01-22 14:46:10,527 org.owasp.dependencycheck.utils.SSLSocketFactoryEx:285
DEBUG - TLSv1.2
2021-01-22 14:46:10,527 org.owasp.dependencycheck.utils.SSLSocketFactoryEx:285
DEBUG - TLSv1.3
2021-01-22 14:46:11,473 org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch:207
DEBUG - Invalid payload submitted to Node Audit API. Received response code: 400 Bad Request
2021-01-22 14:46:11,474 org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer:326
ERROR - NodeAuditAnalyzer failed on /Users/felixmichels/Projekte/vue-cli-odc/package-lock.json
2021-01-22 14:46:11,474 org.owasp.dependencycheck.AnalysisTask:90
WARN  - An error occurred while analyzing '/Users/felixmichels/Projekte/vue-cli-odc/package-lock.json' (Node Audit Analyzer).
2021-01-22 14:46:11,477 org.owasp.dependencycheck.AnalysisTask:91
DEBUG - 
org.owasp.dependencycheck.analyzer.exception.SearchException: Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.
    at org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage(NodeAuditSearch.java:209)
    at org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage(NodeAuditSearch.java:133)
    at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzePackage(NodeAuditAnalyzer.java:304)
    at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzeDependency(NodeAuditAnalyzer.java:187)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
    at java.base/java.lang.Thread.run(Thread.java:832)
2021-01-22 14:46:11,477 org.owasp.dependencycheck.Engine:630
INFO  - Finished Node Audit Analyzer (1 seconds)
.
.
.
ERROR - Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.
2021-01-22 14:46:29,343 org.owasp.dependencycheck.App:209
DEBUG - unexpected error
org.owasp.dependencycheck.analyzer.exception.SearchException: Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.
    at org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage(NodeAuditSearch.java:209)
    at org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage(NodeAuditSearch.java:133)
    at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzePackage(NodeAuditAnalyzer.java:304)
    at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzeDependency(NodeAuditAnalyzer.java:187)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
    at java.base/java.lang.Thread.run(Thread.java:832)
2021-01-22 14:46:29,343 org.owasp.dependencycheck.utils.Settings:759
DEBUG - Deleting ALL temporary files from `/var/folders/w2/6j80xzbx4l10kszwf46k5qc80000gn/T/dctemp91f06145-cdbb-4b67-a51c-43c61fc1b3cb`
2021-01-22 14:46:29,350 org.owasp.dependencycheck.App:82
DEBUG - Exit code: -14

Payload (redacted)

   "name":"vue-cli-odc",
   "version":"0.1.0",
   "requires":{
      "core-js":"^3.6.5",
      "vue":"^2.6.11",
      "@vue/cli-plugin-babel":"~4.5.0",
      "@vue/cli-plugin-eslint":"~4.5.0",
      "@vue/cli-service":"~4.5.0",
      "babel-eslint":"^10.1.0",
      "eslint":"^6.7.2",
      "eslint-plugin-vue":"^6.2.2",
      "vue-template-compiler":"^2.6.11"
   },
   "dependencies":{
      "@vue/cli-service":{
         "version":"4.5.10",
         "integrity":"sha512-HnVkbc+Zb6J1lu0ojuKC6aQ4PjCW2fqlJE0G9Zqg+7VsUZ2e15UVRoIXj2hcIWtQiFF6n2FDxEkvZLslht9rkg==",
         "requires":{
            // redacted
            "url-loader":"^2.2.0",
            "vue-loader":"^15.9.2",
            "vue-loader-v16":"npm:vue-loader@^16.1.0",
            "vue-style-loader":"^4.1.2",
            "webpack":"^4.0.0",
            "webpack-bundle-analyzer":"^3.8.0",
            "webpack-chain":"^6.4.0",
            "webpack-dev-server":"^3.11.0",
            "webpack-merge":"^4.2.2"
         },
         "dependencies":{
            // redacted
         }
      },
   },
   "install":[

   ],
   "remove":[

   ],
   "metadata":{
      "npm_version":"6.9.0",
      "node_version":"v10.5.0",
      "platform":"linux"
   }
}

To Reproduce Steps to reproduce the behavior:

Clone repository https://github.com/umbertooo/vue-cli-odc
Run script dependency-check.sh
See error

Expected behavior I expected the dependency scan to complete successfully.

IuliaUngur commented 3 years ago

I had the same issue. Had to downgrade to @vue/cli-service 4.4.6 which doesn't use aliases

umbertooo commented 3 years ago

I run the dependency check with the option --nodeAuditSkipDevDependencies. This skips node audit for all devDependencies. DevDependencies like the Vue CLI Service are not part of the production code so I'm fine with this workaround. However this bug would be a problem if it would happen the same way with "normal" dependencies using aliases.

Problem happens also with release 6.1.0

SuprexDE commented 1 month ago

hey, any updates here?

jeremylong / DependencyCheck

NodeAuditSearch fails with skipped dependency #3097