Closed jaskaransinghdr6j closed 3 years ago
Just realized you're only using yarn audit to create the json request, only to then send it to the NodeAudit API instead. Does this mean I would specifically need to run yarn install before running the scan to get the dependencies in the cache?
Yes, I believe you would need to run yarn install first. The yarn integration was a PR - happy to accept improvements to it via PRs.
Getting the same error, yarn install has been executed. Using Yarn 3.1.1
[WARN] An unexpected error occurred during analysis of 'D:\WORK\frontend\yarn.lock' (Yarn Audit Analyzer): No value present
[ERROR]
java.util.NoSuchElementException: No value present
at java.base/java.util.Optional.get(Optional.java:141)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.fetchYarnAuditJson(YarnAuditAnalyzer.java:244)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzePackage(YarnAuditAnalyzer.java:284)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzeDependency(YarnAuditAnalyzer.java:106)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
[INFO] Finished Yarn Audit Analyzer (2 seconds)
Hi! I am getting the same error - @rene-stesl Did you manage to figure it out?
Hi! I am getting the same error - @rene-stesl Did you manage to figure it out?
Hi @brigittarucz, haven't had enough time for this, since the report gets stuck for hours after the Vulnerability Suppression Analyzer and then crashes with multiple errors.
But if I should bet, my guess would be that the YarnAuditAnalyzer is written for yarn classic and not for berry.
Thank you for your input - I did make it work by disabling the audit:
uses: dependency-check/Dependency-Check_Action@main
id: Depcheck
with:
project: "Floods"
path: "."
format: "HTML"
args: >
--failOnCVSS 7
--enableRetired
--disableYarnAudit
In my case, when I got this error, the yarn.lock file was corrupted.
I ran yarn audit --offline --verbose --json
and uncovered the underlying issue.
ODC Version 6.1.1
Hi, I'm trying to scan a yarn project which includes the yarn.lock file. As I'm running ODC on a machine which is not the build machine, it does not have the yarn cache available, and hence I'm getting the following error:
DEBUG - Begin Analysis of 'C:\New_Software\dependency-check-6.1.1-release\dependency-check\bin\ebc2ui-paymyinvoice\yarn.lock' (Yarn Audit Analyzer) 2021-02-24 17:20:55,380 org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer:213 DEBUG - Launching: [C:\Users\jasksing\AppData\Roaming\npm\yarn.cmd, audit, --offline, --json, --verbose] 2021-02-24 17:20:56,536 org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer:220 DEBUG - Process Error Out: {"type":"warning","data":"Resolution field \"regenerator-runtime@0.13.2\" is incompatible with requested version \"regenerator-runtime@^0.12.0\""} {"type":"warning","data":"Resolution field \"regenerator-runtime@0.13.2\" is incompatible with requested version \"regenerator-runtime@^0.11.0\""} {"type":"error","data":"Couldn't find any versions for \"@cybs-ui/components\" that matches \"5.10.5\" in our cache (possible versions are \"\"). This is usually caused by a missing entry in the lockfile, running Yarn without the --offline flag may help fix this issue."}
2021-02-24 17:20:56,536 org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer:221 DEBUG - Process Out: {"type":"verbose","data":"Checking for configuration file \"C:\\New_Software\\dependency-check-6.1.1-release\\dependency-check\\bin\\ebc2ui-paymyinvoice\\.npmrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\Users\\jasksing\\.npmrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\Program Files\\nodejs\\etc\\npmrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\New_Software\\dependency-check-6.1.1-release\\dependency-check\\bin\\ebc2ui-paymyinvoice\\.npmrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\New_Software\\dependency-check-6.1.1-release\\dependency-check\\bin\\.npmrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\New_Software\\dependency-check-6.1.1-release\\dependency-check\\.npmrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\New_Software\\dependency-check-6.1.1-release\\.npmrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\New_Software\\.npmrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\New_Software\\dependency-check-6.1.1-release\\dependency-check\\bin\\ebc2ui-paymyinvoice\\.yarnrc\"."} {"type":"verbose","data":"Found configuration file \"C:\\New_Software\\dependency-check-6.1.1-release\\dependency-check\\bin\\ebc2ui-paymyinvoice\\.yarnrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\Users\\jasksing\\.yarnrc\"."} {"type":"verbose","data":"Found configuration file \"C:\\Users\\jasksing\\.yarnrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\Program Files\\nodejs\\etc\\yarnrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\New_Software\\dependency-check-6.1.1-release\\dependency-check\\bin\\ebc2ui-paymyinvoice\\.yarnrc\"."} {"type":"verbose","data":"Found configuration file \"C:\\New_Software\\dependency-check-6.1.1-release\\dependency-check\\bin\\ebc2ui-paymyinvoice\\.yarnrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\New_Software\\dependency-check-6.1.1-release\\dependency-check\\bin\\.yarnrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\New_Software\\dependency-check-6.1.1-release\\dependency-check\\.yarnrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\New_Software\\dependency-check-6.1.1-release\\.yarnrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\New_Software\\.yarnrc\"."} {"type":"verbose","data":"current time: 2021-02-25T01:20:56.215Z"} {"type":"verbose","data":"Error: Couldn't find any versions for \"@cybs-ui/components\" that matches \"5.10.5\" in our cache (possible versions are \"\"). This is usually caused by a missing entry in the lockfile, running Yarn without the --offline flag may help fix this issue.\n at MessageError.ExtendableBuiltin (C:\Users\jasksing\AppData\Roaming\npm\node_modules\yarn\lib\cli.js:721:66)\n at new MessageError (C:\Users\jasksing\AppData\Roaming\npm\node_modules\yarn\lib\cli.js:750:123)\n at NpmResolver. (C:\Users\jasksing\AppData\Roaming\npm\node_modules\yarn\lib\cli.js:50633:15)\n at Generator.next ()\n at step (C:\Users\jasksing\AppData\Roaming\npm\node_modules\yarn\lib\cli.js:310:30)\n at C:\Users\jasksing\AppData\Roaming\npm\node_modules\yarn\lib\cli.js:321:13"}
{"type":"info","data":"Visit https://yarnpkg.com/en/docs/cli/audit for documentation about this command."}
2021-02-24 17:20:56,537 org.owasp.dependencycheck.AnalysisTask:94 WARN - An unexpected error occurred during analysis of 'C:\New_Software\dependency-check-6.1.1-release\dependency-check\bin\ebc2ui-paymyinvoice\yarn.lock' (Yarn Audit Analyzer): No value present 2021-02-24 17:20:56,539 org.owasp.dependencycheck.AnalysisTask:96 ERROR - java.util.NoSuchElementException: No value present at java.util.Optional.get(Unknown Source) at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.fetchYarnAuditJson(YarnAuditAnalyzer.java:226) at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzePackage(YarnAuditAnalyzer.java:267) at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzeDependency(YarnAuditAnalyzer.java:97) at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131) at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88) at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) 2021-02-24 17:20:56,539 org.owasp.dependencycheck.Engine:630 INFO - Finished Yarn Audit Analyzer (2 seconds)
If I run the "yarn audit" command independently of Dependency Check, I get perfect results. Is there no way to run yarn audit in the online mode?
Thanks