jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.41k stars 1.27k forks source link

Angular app - Package-Lock files throw errors #4031

Open crypticraven opened 2 years ago

crypticraven commented 2 years ago

Describe the bug When scanning an Angular application, the dependency checker application throws an error when it comes across package-lock files.

Version of dependency-check used 6.5.3

Log file

[INFO] Finished NVD CVE Analyzer (0 seconds) [ERROR] NodeAuditAnalyzer failed on C:\a\1\s\NextGen\UserDriven\Website\SPA\package-lock.json [WARN] An error occurred while analyzing 'C:\a\1\s\NextGen\UserDriven\Website\SPA\package-lock.json' (Node Audit Analyzer). [INFO] Finished Node Audit Analyzer (0 seconds) 00:00 INFO: Vulnerability found: jquery below 1.12.0 00:00 INFO: Vulnerability found: jquery below 1.12.0 00:00 INFO: Vulnerability found: jquery below 3.4.0 00:00 INFO: Vulnerability found: jquery below 3.5.0 00:00 INFO: Vulnerability found: jquery below 3.5.0 00:00 INFO: Vulnerability found: jquery below 1.12.0 00:00 INFO: Vulnerability found: jquery below 1.12.0 00:00 INFO: Vulnerability found: jquery below 3.4.0 00:00 INFO: Vulnerability found: jquery below 3.5.0 00:00 INFO: Vulnerability found: jquery below 3.5.0 00:00 INFO: Vulnerability found: jquery below 1.12.0 00:00 INFO: Vulnerability found: jquery below 1.12.0 00:00 INFO: Vulnerability found: jquery below 3.4.0 00:00 INFO: Vulnerability found: jquery below 3.5.0 00:00 INFO: Vulnerability found: jquery below 3.5.0 [INFO] Finished RetireJS Analyzer (1 seconds) [INFO] Finished Sonatype OSS Index Analyzer (4 seconds) [INFO] Finished Vulnerability Suppression Analyzer (0 seconds) [INFO] Finished Dependency Bundling Analyzer (0 seconds) [INFO] Analysis Complete (24 seconds) [INFO] Writing report to: C:\a\1\TestResults\dependency-check\dependency-check-report.xml [INFO] Writing report to: C:\a\1\TestResults\dependency-check\dependency-check-report.html [INFO] Writing report to: C:\a\1\TestResults\dependency-check\dependency-check-junit.xml [ERROR] Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.

Dependency Check completed with exit code 4294967282. Dependency Check reports: [ 'C:\a\1\TestResults\dependency-check\dependency-check-junit.xml', 'C:\a\1\TestResults\dependency-check\dependency-check-report.html', 'C:\a\1\TestResults\dependency-check\dependency-check-report.xml' ] Dependency Check failed with message "Dependency Check exited with an error code (exit code: 4294967282)."

[error]Dependency Check exited with an error code (exit code: 4294967282).

Ending Dependency Check...

To Reproduce Appears only when the package-lock.json file is part of the repository. If we remove the file, the scan happens as expected and no errors are thrown.

Expected behavior Scan should be conducted as it would with any other package.json file.

Additional context We're running this from an OWASP plugin directly connected to AzureDevOps via a pipeline. There are no unique configurations for the environment that we were testing with, just a generic configuration for testing the plugin to provide a POC to our development team when scanning for code dependency files.

aikebah commented 2 years ago

If you would've provide the debug log (as instructed) instead of the regular info/error log we might be able to tell what breaks in your case. Now you're all on your own.

crypticraven commented 2 years ago

https://gist.github.com/crypticraven/a60ed0c406bc34ec4f19c3144494a71a

This is from a pipeline; I enabled verbosity.

aikebah commented 2 years ago

@jeremylong Do you recall what causes we've seen for Invalid payload submitted to Node Audit API? I vaguely recall we've seen similar error patterns in the past

jeremylong commented 2 years ago

There are a few existing tickets around this:

https://github.com/jeremylong/DependencyCheck/issues?q=is%3Aissue+is%3Aopen+Invalid+payload+submitted+to+Node+Audit+API

I have not had time to dig into this failure.

bovy89 commented 1 year ago

In my case the problem seems to be related to package-lock.json with lockfileVersion 3. Regenerating it using node-16 (lockfileVersion 2) temporary resolve that issue.

dependency-check version: latest