search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.35k stars 1.27k forks source link

Error on Yarn Audit Offline #3162

Closed jaskaransinghdr6j closed 3 years ago

jaskaransinghdr6j commented 3 years ago

ODC Version 6.1.1

Hi, I'm trying to scan a yarn project which includes the yarn.lock file. As I'm running ODC on a machine which is not the build machine, it does not have the yarn cache available, and hence I'm getting the following error:

DEBUG - Begin Analysis of 'C:\New_Software\dependency-check-6.1.1-release\dependency-check\bin\ebc2ui-paymyinvoice\yarn.lock' (Yarn Audit Analyzer) 2021-02-24 17:20:55,380 org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer:213 DEBUG - Launching: [C:\Users\jasksing\AppData\Roaming\npm\yarn.cmd, audit, --offline, --json, --verbose] 2021-02-24 17:20:56,536 org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer:220 DEBUG - Process Error Out: {"type":"warning","data":"Resolution field \"regenerator-runtime@0.13.2\" is incompatible with requested version \"regenerator-runtime@^0.12.0\""} {"type":"warning","data":"Resolution field \"regenerator-runtime@0.13.2\" is incompatible with requested version \"regenerator-runtime@^0.11.0\""} {"type":"error","data":"Couldn't find any versions for \"@cybs-ui/components\" that matches \"5.10.5\" in our cache (possible versions are \"\"). This is usually caused by a missing entry in the lockfile, running Yarn without the --offline flag may help fix this issue."}

2021-02-24 17:20:56,536 org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer:221 DEBUG - Process Out: {"type":"verbose","data":"Checking for configuration file \"C:\\New_Software\\dependency-check-6.1.1-release\\dependency-check\\bin\\ebc2ui-paymyinvoice\\.npmrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\Users\\jasksing\\.npmrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\Program Files\\nodejs\\etc\\npmrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\New_Software\\dependency-check-6.1.1-release\\dependency-check\\bin\\ebc2ui-paymyinvoice\\.npmrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\New_Software\\dependency-check-6.1.1-release\\dependency-check\\bin\\.npmrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\New_Software\\dependency-check-6.1.1-release\\dependency-check\\.npmrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\New_Software\\dependency-check-6.1.1-release\\.npmrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\New_Software\\.npmrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\New_Software\\dependency-check-6.1.1-release\\dependency-check\\bin\\ebc2ui-paymyinvoice\\.yarnrc\"."} {"type":"verbose","data":"Found configuration file \"C:\\New_Software\\dependency-check-6.1.1-release\\dependency-check\\bin\\ebc2ui-paymyinvoice\\.yarnrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\Users\\jasksing\\.yarnrc\"."} {"type":"verbose","data":"Found configuration file \"C:\\Users\\jasksing\\.yarnrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\Program Files\\nodejs\\etc\\yarnrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\New_Software\\dependency-check-6.1.1-release\\dependency-check\\bin\\ebc2ui-paymyinvoice\\.yarnrc\"."} {"type":"verbose","data":"Found configuration file \"C:\\New_Software\\dependency-check-6.1.1-release\\dependency-check\\bin\\ebc2ui-paymyinvoice\\.yarnrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\New_Software\\dependency-check-6.1.1-release\\dependency-check\\bin\\.yarnrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\New_Software\\dependency-check-6.1.1-release\\dependency-check\\.yarnrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\New_Software\\dependency-check-6.1.1-release\\.yarnrc\"."} {"type":"verbose","data":"Checking for configuration file \"C:\\New_Software\\.yarnrc\"."} {"type":"verbose","data":"current time: 2021-02-25T01:20:56.215Z"} {"type":"verbose","data":"Error: Couldn't find any versions for \"@cybs-ui/components\" that matches \"5.10.5\" in our cache (possible versions are \"\"). This is usually caused by a missing entry in the lockfile, running Yarn without the --offline flag may help fix this issue.\n at MessageError.ExtendableBuiltin (C:\Users\jasksing\AppData\Roaming\npm\node_modules\yarn\lib\cli.js:721:66)\n at new MessageError (C:\Users\jasksing\AppData\Roaming\npm\node_modules\yarn\lib\cli.js:750:123)\n at NpmResolver. (C:\Users\jasksing\AppData\Roaming\npm\node_modules\yarn\lib\cli.js:50633:15)\n at Generator.next ()\n at step (C:\Users\jasksing\AppData\Roaming\npm\node_modules\yarn\lib\cli.js:310:30)\n at C:\Users\jasksing\AppData\Roaming\npm\node_modules\yarn\lib\cli.js:321:13"} {"type":"info","data":"Visit https://yarnpkg.com/en/docs/cli/audit for documentation about this command."}

2021-02-24 17:20:56,537 org.owasp.dependencycheck.AnalysisTask:94 WARN - An unexpected error occurred during analysis of 'C:\New_Software\dependency-check-6.1.1-release\dependency-check\bin\ebc2ui-paymyinvoice\yarn.lock' (Yarn Audit Analyzer): No value present 2021-02-24 17:20:56,539 org.owasp.dependencycheck.AnalysisTask:96 ERROR - java.util.NoSuchElementException: No value present at java.util.Optional.get(Unknown Source) at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.fetchYarnAuditJson(YarnAuditAnalyzer.java:226) at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzePackage(YarnAuditAnalyzer.java:267) at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzeDependency(YarnAuditAnalyzer.java:97) at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131) at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88) at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) 2021-02-24 17:20:56,539 org.owasp.dependencycheck.Engine:630 INFO - Finished Yarn Audit Analyzer (2 seconds)

If I run the "yarn audit" command independently of Dependency Check, I get perfect results. Is there no way to run yarn audit in the online mode?

Thanks

jaskaransinghdr6j commented 3 years ago

Just realized you're only using yarn audit to create the json request, only to then send it to the NodeAudit API instead. Does this mean I would specifically need to run yarn install before running the scan to get the dependencies in the cache?

jeremylong commented 3 years ago

Yes, I believe you would need to run yarn install first. The yarn integration was a PR - happy to accept improvements to it via PRs.

rene-stesl commented 2 years ago

Getting the same error, yarn install has been executed. Using Yarn 3.1.1

[WARN] An unexpected error occurred during analysis of 'D:\WORK\frontend\yarn.lock' (Yarn Audit Analyzer): No value present
[ERROR]
java.util.NoSuchElementException: No value present
        at java.base/java.util.Optional.get(Optional.java:141)
        at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.fetchYarnAuditJson(YarnAuditAnalyzer.java:244)
        at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzePackage(YarnAuditAnalyzer.java:284)
        at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzeDependency(YarnAuditAnalyzer.java:106)
        at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
        at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
        at java.base/java.lang.Thread.run(Thread.java:832)
[INFO] Finished Yarn Audit Analyzer (2 seconds)
brigittarucz commented 2 years ago

Hi! I am getting the same error - @rene-stesl Did you manage to figure it out?

rene-stesl commented 2 years ago

Hi! I am getting the same error - @rene-stesl Did you manage to figure it out?

Hi @brigittarucz, haven't had enough time for this, since the report gets stuck for hours after the Vulnerability Suppression Analyzer and then crashes with multiple errors.

But if I should bet, my guess would be that the YarnAuditAnalyzer is written for yarn classic and not for berry.

brigittarucz commented 2 years ago

Thank you for your input - I did make it work by disabling the audit:


        uses: dependency-check/Dependency-Check_Action@main
        id: Depcheck
        with:
          project: "Floods"
          path: "."
          format: "HTML"
          args: >
            --failOnCVSS 7
            --enableRetired
            --disableYarnAudit
caesarshift commented 1 year ago

In my case, when I got this error, the yarn.lock file was corrupted.

I ran yarn audit --offline --verbose --json and uncovered the underlying issue.