search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.43k stars 1.28k forks source link

Alias inside package.json #5093

Closed atamike closed 1 year ago

atamike commented 1 year ago

Describe the bug Dependency-check throw an unexpected error when you try to scan package.json and yarn.lock with alias

Version of dependency-check used The problem occurs using version 7.3.2

Log file

[INFO] Analysis Started
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (0 seconds)
[INFO] Finished CPE Analyzer (1 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[WARN] The Node Package Analyzer has been disabled; the resulting report will only contain the known vulnerable dependency - not a bill of materials for the node project.
[WARN] dependency skipped: package.json contain an alias for @mui/styled-engine => @mui/styled-engine-sc@5.8.0 npm audit doesn't support aliases
[ERROR] YarnAuditAnalyzer failed on /mnt/c/projects/example/yarn.lock
[WARN] An error occurred while analyzing '/mnt/c/projects/example/yarn.lock' (Yarn Audit Analyzer).
[INFO] Finished Yarn Audit Analyzer (1 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Finished Unused Suppression Rule Analyzer (0 seconds)
[INFO] Analysis Complete (2 seconds)
[INFO] Writing report to: /mnt/c/projects/example/./dependency-check-report.html
[ERROR] Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.

To Reproduce

Package.json
{
  "name": "example",
  "version": "0.1.0",
  "private": true,
  "dependencies": {
    "@mui/styled-engine": "npm:@mui/styled-engine-sc@5.8.0",
    "@mui/styled-engine-sc": "5.8.0"
  }
}
Yarn.lock
# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1

"@mui/styled-engine-sc@5.8.0", "@mui/styled-engine@npm:@mui/styled-engine-sc@5.8.0":
  version "5.8.0"
  resolved "https://registry.yarnpkg.com/@mui/styled-engine-sc/-/styled-engine-sc-5.8.0.tgz#20bc536dce25739e38fcd2586f100e70fbf02065"
  integrity sha512-46eRLWxjTF0d50Q1Q9tj96cgF41r7lesbXAy6kKocCdUfJ8rbIo36C4Ws8Pd7nfVsvaitTb7tmCbVQzDT3niJQ==
  dependencies:
    prop-types "^15.8.1"

"js-tokens@^3.0.0 || ^4.0.0":
  version "4.0.0"
  resolved "https://registry.yarnpkg.com/js-tokens/-/js-tokens-4.0.0.tgz#19203fb59991df98e3a287050d4647cdeaf32499"
  integrity sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==

loose-envify@^1.4.0:
  version "1.4.0"
  resolved "https://registry.yarnpkg.com/loose-envify/-/loose-envify-1.4.0.tgz#71ee51fa7be4caec1a63839f7e682d8132d30caf"
  integrity sha512-lyuxPGr/Wfhrlem2CL/UcnUc1zcqKAImBDzukY7Y5F/yQiNdko6+fRLevlw1HgMySw7f611UIY408EtxRSoK3Q==
  dependencies:
    js-tokens "^3.0.0 || ^4.0.0"

object-assign@^4.1.1:
  version "4.1.1"
  resolved "https://registry.yarnpkg.com/object-assign/-/object-assign-4.1.1.tgz#2109adc7965887cfc05cbbd442cac8bfbb360863"
  integrity sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==

prop-types@^15.8.1:
  version "15.8.1"
  resolved "https://registry.yarnpkg.com/prop-types/-/prop-types-15.8.1.tgz#67d87bf1a694f48435cf332c24af10214a3140b5"
  integrity sha512-oj87CgZICdulUohogVAR7AjlC0327U4el4L6eAvOqCeudMDVU0NThNaV+b9Df4dXgSP1gXMTnPdhfe/2qDH5cg==
  dependencies:
    loose-envify "^1.4.0"
    object-assign "^4.1.1"
    react-is "^16.13.1"

react-is@^16.13.1:
  version "16.13.1"
  resolved "https://registry.yarnpkg.com/react-is/-/react-is-16.13.1.tgz#789729a4dc36de2999dc156dd6c1d9c18cea56a4"
  integrity sha512-24e6ynE2H+OKt4kqsOvNd8kBpV65zoxbA4BVsEOB3ARVWQki/DHzaUoC5KuON/BiccDaCCTZBuOcfZs70kR8bQ==
Run command

dependency-check --scan "./yarn.lock" --disableNodeJS --disableRetireJS --nodeAuditSkipDevDependencies

Expected behavior The alias dependency is skipped and don't make the dependency-check to fail

Additional context We cannot simply remove the alias for dependency, we need it.

atamike commented 1 year ago

I found out this is more problem with how the yarn audit works and how yarn.lock is generated. When you try to run yarn audit --verbose on example you will get an error. The payload sent to audit looks like

verbose 0.379 Audit Request: {
  "name": "example",
  "version": "0.1.0",
  "install": [],
  "remove": [],
  "metadata": {},
  "requires": {
    "@mui/styled-engine": "npm:@mui/styled-engine-sc@5.8.0",
    "@mui/styled-engine-sc": "5.8.0"
  },
  "dependencies": {
    "@mui/styled-engine": {
      "version": "5.8.0",
      "integrity": "sha512-46eRLWxjTF0d50Q1Q9tj96cgF41r7lesbXAy6kKocCdUfJ8rbIo36C4Ws8Pd7nfVsvaitTb7tmCbVQzDT3niJQ==",
      "requires": {
        "prop-types": "^15.8.1"
      },
      "dependencies": {},
      "dev": false
    },
    "prop-types": {
      "version": "15.8.1",
      "integrity": "sha512-oj87CgZICdulUohogVAR7AjlC0327U4el4L6eAvOqCeudMDVU0NThNaV+b9Df4dXgSP1gXMTnPdhfe/2qDH5cg==",
      "requires": {
        "loose-envify": "^1.4.0",
        "object-assign": "^4.1.1",
        "react-is": "^16.13.1"
      },
      "dependencies": {},
      "dev": false
    },
    "loose-envify": {
      "version": "1.4.0",
      "integrity": "sha512-lyuxPGr/Wfhrlem2CL/UcnUc1zcqKAImBDzukY7Y5F/yQiNdko6+fRLevlw1HgMySw7f611UIY408EtxRSoK3Q==",
      "requires": {
        "js-tokens": "^3.0.0 || ^4.0.0"
      },
      "dependencies": {},
      "dev": false
    },
    "object-assign": {
      "version": "4.1.1",
      "integrity": "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==",
      "requires": {},
      "dependencies": {},
      "dev": false
    },
    "react-is": {
      "version": "16.13.1",
      "integrity": "sha512-24e6ynE2H+OKt4kqsOvNd8kBpV65zoxbA4BVsEOB3ARVWQki/DHzaUoC5KuON/BiccDaCCTZBuOcfZs70kR8bQ==",
      "requires": {},
      "dependencies": {},
      "dev": false
    },
    "js-tokens": {
      "version": "4.0.0",
      "integrity": "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==",
      "requires": {},
      "dependencies": {},
      "dev": false
    }
  },
  "dev": false
}

So there is missing @mui/styled-engine-sc at all which cause the yarn audit to fail. There is already opened issue inside the yarn https://github.com/yarnpkg/yarn/issues/7015

The current workaround is to modify yarn.lock manually and duplicate the resolution for both packages like this:

"@mui/styled-engine-sc@5.8.0":
  version "5.8.0"
  resolved "https://registry.yarnpkg.com/@mui/styled-engine-sc/-/styled-engine-sc-5.8.0.tgz#20bc536dce25739e38fcd2586f100e70fbf02065"
  integrity sha512-46eRLWxjTF0d50Q1Q9tj96cgF41r7lesbXAy6kKocCdUfJ8rbIo36C4Ws8Pd7nfVsvaitTb7tmCbVQzDT3niJQ==
  dependencies:
    prop-types "^15.8.1"

"@mui/styled-engine@npm:@mui/styled-engine-sc@5.8.0":
  version "5.8.0"
  resolved "https://registry.yarnpkg.com/@mui/styled-engine-sc/-/styled-engine-sc-5.8.0.tgz#20bc536dce25739e38fcd2586f100e70fbf02065"
  integrity sha512-46eRLWxjTF0d50Q1Q9tj96cgF41r7lesbXAy6kKocCdUfJ8rbIo36C4Ws8Pd7nfVsvaitTb7tmCbVQzDT3niJQ==
  dependencies:
    prop-types "^15.8.1"
nhumblot commented 1 year ago

Hi :wave:

Thank you for reporting this and providing details about the issue. As it is an issue in yarn and Dependency Check is not concerned as of now, and because an issue has been opened in yarn project, I am closing this issue. :slightly_smiling_face: