Open crypticraven opened 2 years ago
If you would've provide the debug log (as instructed) instead of the regular info/error log we might be able to tell what breaks in your case. Now you're all on your own.
https://gist.github.com/crypticraven/a60ed0c406bc34ec4f19c3144494a71a
This is from a pipeline; I enabled verbosity.
@jeremylong Do you recall what causes we've seen for Invalid payload submitted to Node Audit API
? I vaguely recall we've seen similar error patterns in the past
There are a few existing tickets around this:
I have not had time to dig into this failure.
In my case the problem seems to be related to package-lock.json with lockfileVersion 3
. Regenerating it using node-16 (lockfileVersion 2
) temporary resolve that issue.
dependency-check version: latest
Describe the bug When scanning an Angular application, the dependency checker application throws an error when it comes across package-lock files.
Version of dependency-check used 6.5.3
Log file
[INFO] Finished NVD CVE Analyzer (0 seconds) [ERROR] NodeAuditAnalyzer failed on C:\a\1\s\NextGen\UserDriven\Website\SPA\package-lock.json [WARN] An error occurred while analyzing 'C:\a\1\s\NextGen\UserDriven\Website\SPA\package-lock.json' (Node Audit Analyzer). [INFO] Finished Node Audit Analyzer (0 seconds) 00:00 INFO: Vulnerability found: jquery below 1.12.0 00:00 INFO: Vulnerability found: jquery below 1.12.0 00:00 INFO: Vulnerability found: jquery below 3.4.0 00:00 INFO: Vulnerability found: jquery below 3.5.0 00:00 INFO: Vulnerability found: jquery below 3.5.0 00:00 INFO: Vulnerability found: jquery below 1.12.0 00:00 INFO: Vulnerability found: jquery below 1.12.0 00:00 INFO: Vulnerability found: jquery below 3.4.0 00:00 INFO: Vulnerability found: jquery below 3.5.0 00:00 INFO: Vulnerability found: jquery below 3.5.0 00:00 INFO: Vulnerability found: jquery below 1.12.0 00:00 INFO: Vulnerability found: jquery below 1.12.0 00:00 INFO: Vulnerability found: jquery below 3.4.0 00:00 INFO: Vulnerability found: jquery below 3.5.0 00:00 INFO: Vulnerability found: jquery below 3.5.0 [INFO] Finished RetireJS Analyzer (1 seconds) [INFO] Finished Sonatype OSS Index Analyzer (4 seconds) [INFO] Finished Vulnerability Suppression Analyzer (0 seconds) [INFO] Finished Dependency Bundling Analyzer (0 seconds) [INFO] Analysis Complete (24 seconds) [INFO] Writing report to: C:\a\1\TestResults\dependency-check\dependency-check-report.xml [INFO] Writing report to: C:\a\1\TestResults\dependency-check\dependency-check-report.html [INFO] Writing report to: C:\a\1\TestResults\dependency-check\dependency-check-junit.xml [ERROR] Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.
Dependency Check completed with exit code 4294967282. Dependency Check reports: [ 'C:\a\1\TestResults\dependency-check\dependency-check-junit.xml', 'C:\a\1\TestResults\dependency-check\dependency-check-report.html', 'C:\a\1\TestResults\dependency-check\dependency-check-report.xml' ] Dependency Check failed with message "Dependency Check exited with an error code (exit code: 4294967282)."
[error]Dependency Check exited with an error code (exit code: 4294967282).
Ending Dependency Check...
To Reproduce Appears only when the package-lock.json file is part of the repository. If we remove the file, the scan happens as expected and no errors are thrown.
Expected behavior Scan should be conducted as it would with any other package.json file.
Additional context We're running this from an OWASP plugin directly connected to AzureDevOps via a pipeline. There are no unique configurations for the environment that we were testing with, just a generic configuration for testing the plugin to provide a POC to our development team when scanning for code dependency files.