search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.32k stars 1.26k forks source link

Wrong location for the node_modules folder #5119

Closed ngyl88 closed 1 year ago

ngyl88 commented 1 year ago

Describe the bug The newly released dependency check docker image was unable to locate the node_modules folder, while the previous image works.

The problem is the same as mentioned by another user, https://github.com/jeremylong/DependencyCheck/issues/5116#issuecomment-1336534312.

Version of dependency-check used The problem occurs using version 7.4.0, running with docker commands that was published in Docker Hub. The script file used is exactly the same as previous successful runs.

Log file With image tag 7.4.0, 

[INFO] Analysis Started
[INFO] Finished File Name Analyzer (0 seconds)
[WARN] Unable to find node module: /src/node_modules/@ampproject/remapping/node_modules/@jridgewell/gen-mapping/package.json
[WARN] Unable to find node module: /src/node_modules/@ampproject/remapping/node_modules/@jridgewell/trace-mapping/package.json

Run with image tag 7.3.2,

[INFO] Analysis Started
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Node.js Package Analyzer (23 seconds)
[INFO] Finished Dependency Merging Analyzer (2 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (2 seconds)
[INFO] Finished CPE Analyzer (9 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Node Audit Analyzer (0 seconds)
[INFO] Finished Yarn Audit Analyzer (1 seconds)
[INFO] Finished RetireJS Analyzer (59 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (22 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (33 seconds)
[INFO] Finished Unused Suppression Rule Analyzer (0 seconds)
[INFO] Analysis Complete (155 seconds)

To Reproduce Try to run the docker image to scan a NodeJS project with the script published in Docker Hub.

  1. Create a NodeJS module. The NodeJS and npm version shouldn't matter, but just in case, we try with a react app that is created with NodeJS 18.12.1 , npm v8 .
  2. Copy the script in https://hub.docker.com/r/owasp/dependency-check into ./bin/owasp-dependency-check-docker.
  3. Set DC_VERSION="7.4.0" and DC_VERSION="7.3.2".
npx create-react-app my-app-owasp-check
cd my-app-owasp-check

./bin/owasp-dependency-check-docker

Expected behavior It should pass the node_modules resolution phase and start Node.js Package Analyzer.

Additional context NA

ngyl88 commented 1 year ago

@jeremylong Thanks for the attempt to fix.

I tried with the docker image owasp/dependency-check:7.4.1 , same steps as above. The same issues persist. I'm not sure about the effect of the line in commit 8c9b6a1 , would you have an idea to share?

Logs generated:

[INFO] Analysis Started
[INFO] Finished File Name Analyzer (0 seconds)
[WARN] Unable to find node module: /src/node_modules/@ampproject/remapping/node_modules/@jridgewell/gen-mapping/package.json
[WARN] Unable to find node module: /src/node_modules/@ampproject/remapping/node_modules/@jridgewell/trace-mapping/package.json
[WARN] Unable to find node module: /src/node_modules/@babel/code-frame/node_modules/@babel/highlight/package.json