[DependencyCheck] [ERROR] Exception occurred initializing Yarn Audit Analyzer.

[niajthat]

I am using Dependency Check Jenkins plugin with release v6.1.0.

Facing issue with check, pipeline stage fails due to this error: [DependencyCheck] [WARN] The Yarn Audit Analyzer has been disabled. Yarn executable was not found. [DependencyCheck] [ERROR] Exception occurred initializing Yarn Audit Analyzer. ... .. [DependencyCheck] [ERROR] Unable to read yarn audit output.

[jeremylong]

Is yarn installed? If not, somehow the path being passed to Java does not include it. The next release includes the ability to explicitly set the path to yarn as a configuration parameter.

[niajthat]

No, yarn is not installed. Seems like the default is now to look for it and throw error when not found. i disabled the yarn editor and then it worked. Is yarn really enabled/wanted by default or is it a bug?

[jeremylong]

With 6.1 we had PR to fix issues with analyzing yarn based projects; the fix utilized the yarn command. So yes, at the moment yarn is required when analyzing yarn based projects.

[Venti-]

Ran into this with 6.1. We don't use yarn as the project is npm based, so I was a bit confused about the error. Managed to work around it with --disableYarnAudit.

[jeremylong]

@Venti- if you saw this error then somewhere in your scan directory there is a yarn.lock.

[Venti-]

@jeremylong There are several inside ./node_modules/, I should exclude that directory. I didn't realize DependencyCheck was diving into subdirectories. Thanks.

[jeremylong]

The Yarn analyzer should be skipping anything in the node_modules directory by default. Any chance you have a vendor directory? We aren't skipping files in the vendor directory (yet)...

[Venti-]

No, all instances of yarn.lock were in node_modules. Checked with find.

I looked at how we are calling DependencyCheck, and we do specify --exclude for something else. Perhaps that overwrites default exclusion for node_modules?

[jeremylong]

Another way the error could have occurred - if there is an archive that contains a yarn.lock. This might get flagged even if it was in the node_modules directory... As the yarn.lock would get copied into the temp directory.

[iamrahul127]

I also have exact same issue. all yarn.lock files are under node_modules/. Error message as below.

[WARN] The Yarn Audit Analyzer has been disabled. Yarn executable was not found.
[ERROR] Exception occurred initializing Yarn Audit Analyzer.

I am not sure when warning above clearly states that Yarn executable was not found., why plugin is trying to initialize it. I will fix the way @Venti has mentioned.

Any plan to fix this?

[stefan-schweiger]

Is yarn installed? If not, somehow the path being passed to Java does not include it. The next release includes the ability to explicitly set the path to yarn as a configuration parameter.

@jeremylong was the version with this parameter already released? I'm on 6.1.6 and I can't see it via --help. Also what would be needed so that DependencyCheck can find the yarn path on it's own? I've just installed it globally via npm and can use it from PowerShell without a problem.

[kousourakis]

same issue here. I have ignored node_modules but still having the same issue. I tried also installing yarn even though its not needed. only reference to yarn files are in node_modules

[jeremylong]

@elenoir my best guess is the exclude is not working correctly. Add --log odc.log to the call and search for yarn.lock - it should point out which file is being included to cause the yarn analyzer to be initialized.

[tsteenbakkers]

Also like to reply here since we have this issue pop-up since some time and finally had the time to dive into it. Basically our issue is similar to what is described above. NPM based project with yarn.lock files inside the node_modules folder only. We are not using any exclusions for folders. Yarn has never been installed on the target build server.

Has there been any progress on this by any chance?

Edit: I should clarify that all our Yarn.lock files are inside node_modules and nothing coming from other sources.

had a look at the log and it appears to find several yarn.lock files inside the node_modules folder. then for each found yarn.lock file in the node_modules folder it is filing an exclusion / skip. Yet it does proceed with attempting to load yarn for 0 eligible yarn.lock files.

[manuelwallrapp]

I have the same issue here, is there any progress on this issue?

[eugene-kuntsevich]

Hi, everyone. I'm getting next message in console for DependencyCheck 6.5.0:

InitializationException: Unable to read yarn audit output.
[ERROR] caused by IOException: Cannot run program "yarn": CreateProcess error=2, The system cannot find the file specified
[ERROR] caused by IOException: CreateProcess error=2, The system cannot find the file specified

@jeremylong do you have plan for fixing it? Let me, please, know if need further details about environment, project structure etc

Thanks in advance!

[xoapit]

I have the same issue. I tried to add --yarn path to the command. Then, the log shows an error

The {} has been disabled. Yarn executable was not found. java.io.IOException: Cannot run program "c:\Program Files (x86)\Yarn\bin\yarn": CreateProcess error=193, %1 is not a valid Win32 application at java.lang.ProcessBuilder.start(Unknown Source) at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.prepareFileTypeAnalyzer(YarnAuditAnalyzer.java:153) at org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer.prepareAnalyzer(AbstractFileTypeAnalyzer.java:83) at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.prepare(AbstractAnalyzer.java:102) at org.owasp.dependencycheck.Engine.initializeAnalyzer(Engine.java:802) at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:638) at org.owasp.dependencycheck.App.runScan(App.java:256) at org.owasp.dependencycheck.App.run(App.java:188) at org.owasp.dependencycheck.App.main(App.java:83) Caused by: java.io.IOException: CreateProcess error=193, %1 is not a valid Win32 application

[DmitriyRomanovich]

$(Agent.TempDirectory)/dependency-scan-results/dependency-check-report.html work with plugin

[antonysmith-mando]

@jeremylong according to #4049, this should have been fixed in 7.0.0, but I still appear to be seeing it in 7.1.0.

I'm getting the following in a project that only has references to yarn.lock files in node_modules:

[WARN] The Yarn Audit Analyzer has been disabled. Yarn executable was not found.
[ERROR] Exception occurred initializing Yarn Audit Analyzer.

As suggested above, I've run ODC with --log and this is the output:

    Line     48: DEBUG - Setting: analyzer.yarn.audit.enabled='true'
    Line  43436: DEBUG - Found file ***\node_modules\@yarnpkg\lockfile\README.md
    Line  43438: DEBUG - Found file ***\node_modules\@yarnpkg\lockfile\index.js
    Line  43440: DEBUG - Found file ***\node_modules\@yarnpkg\lockfile\package.json
    Line  51178: DEBUG - Found file ***\node_modules\browserify-zlib\yarn.lock
    Line  51480: DEBUG - Found file ***\node_modules\bs-recipes\recipes\webpack.preact-hot-loader\yarn.lock
    Line  55474: DEBUG - Found file ***\node_modules\chrome-trace-event\yarn.lock
    Line  66882: DEBUG - Found file ***\node_modules\debug-fabulous\yarn-error.log
    Line  66884: DEBUG - Found file ***\node_modules\debug-fabulous\yarn.lock
    Line  67694: DEBUG - Found file ***\node_modules\dom-event-types\yarn.lock
    Line  82150: DEBUG - Found file ***\node_modules\fileset\yarn.lock
    Line  82842: DEBUG - Found file ***\node_modules\form-data\yarn.lock
    Line  84908: DEBUG - Found file ***\node_modules\gulp-accessibility\yarn.lock
    Line  85274: DEBUG - Found file ***\node_modules\gulp-htmlhint\yarn.lock
    Line  88970: DEBUG - Found file ***\node_modules\has-yarn\index.d.ts
    Line  88972: DEBUG - Found file ***\node_modules\has-yarn\index.js
    Line  88974: DEBUG - Found file ***\node_modules\has-yarn\license
    Line  88976: DEBUG - Found file ***\node_modules\has-yarn\package.json
    Line  88978: DEBUG - Found file ***\node_modules\has-yarn\readme.md
    Line 102190: DEBUG - Found file ***\node_modules\is-number-like\yarn.lock
    Line 102438: DEBUG - Found file ***\node_modules\is-yarn-global\.travis.yml
    Line 102440: DEBUG - Found file ***\node_modules\is-yarn-global\LICENSE
    Line 102442: DEBUG - Found file ***\node_modules\is-yarn-global\README.md
    Line 102444: DEBUG - Found file ***\node_modules\is-yarn-global\index.js
    Line 102446: DEBUG - Found file ***\node_modules\is-yarn-global\package.json
    Line 108430: DEBUG - Found file ***\node_modules\jsx-ast-utils\yarn.lock
    Line 111408: DEBUG - Found file ***\node_modules\known-css-properties\yarn.lock
    Line 131174: DEBUG - Found file ***\node_modules\psl\yarn.lock
    Line 133632: DEBUG - Found file ***\node_modules\registry-auth-token\yarn.lock
    Line 146440: DEBUG - Found file ***\node_modules\snyk-nodejs-lockfile-parser\dist\parsers\yarn-lock-parse.d.ts
    Line 146442: DEBUG - Found file ***\node_modules\snyk-nodejs-lockfile-parser\dist\parsers\yarn-lock-parse.js
    Line 146444: DEBUG - Found file ***\node_modules\snyk-nodejs-lockfile-parser\dist\parsers\yarn-lock-parse.js.map
    Line 147026: DEBUG - Found file ***\node_modules\snyk\dist\lib\plugins\yarn\index.js
    Line 147028: DEBUG - Found file ***\node_modules\snyk\dist\lib\plugins\yarn\index.js.map
    Line 147130: DEBUG - Found file ***\node_modules\snyk\dist\lib\yarn.js
    Line 147132: DEBUG - Found file ***\node_modules\snyk\dist\lib\yarn.js.map
    Line 147242: DEBUG - Found file ***\node_modules\snyk\node_modules\chardet\yarn.lock
    Line 153890: DEBUG - Found file ***\node_modules\uri-js\yarn.lock
    Line 156076: DEBUG - Found file ***\node_modules\vue-loader\node_modules\vue-style-loader\yarn.lock

Should I be expecting to see this behaviour in 7.1.0?

Thanks

[liangbsh105]

solution： before run dependency check， you shall run "npm install & npm run build" firstly.

[antonysmith-mando]

In my case, these commands have been run prior to the ODC tool being run.

[rujiel]

For plugin ver 7.4.1.. Under windows + git bash this error with the yarn auditor was occurring without any yarn lock files (atho there were some files inside node_modules folders). I also didn't have yarn on my java path

For me the fix was switching to basic windows cmd and running the same command in my project dir