Open nils-christian opened 1 year ago
Can you point at an example project using the frontend-maven-plugin and pnpm?
Hi @jeremylong,
Sure. Here you go: https://github.com/nils-christian/frontend-plugin-dependency-check
A "mvn install" does the following:
The project has a single dependency to a jquery containing some security issues.
By default the execution fails:
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:8.0.2:check (default) on project demo: One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during analysis:
[ERROR] InitializationException: Unable to read pnpm audit output.
[ERROR] caused by IOException: Cannot run program "pnpm": CreateProcess error=2
This, by the way, is already weird, given that pnpm is available on my system.
I have found this issue because I was not able to set up yarn audit analyzer. I am using maven-frontend-plugin, which installs yarn into a local directory. I do not have installed and currently not able to install yarn globally.
I tried to use
Hi @karol-bujacek,
No, unfortunately not. But I didn't invest a lot of time trying to solve this issue.
@nils-christian, thank you for information.
I decided to disable yarn support in this plugin and create separate execution in maven frontend plugin, which executes yarn audit command and yarn-audit-html report generator. Now I have two different reports, but it works and it satisfied my needs.
Here is my working solution for installing pnpm via frontend-maven-plugin and use it afterwards:
<plugin>
<groupId>com.github.eirslett</groupId>
<artifactId>frontend-maven-plugin</artifactId>
<version>1.15.0</version>
<configuration>
<nodeVersion>v18.17.1</nodeVersion>
</configuration>
<executions>
<execution>
<id>install node and npm</id>
<goals>
<goal>install-node-and-npm</goal>
</goals>
</execution>
<execution>
<id>install frontend dependencies</id>
<goals>
<goal>npx</goal>
</goals>
<configuration>
<arguments>pnpm install</arguments>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<executions>
<execution>
<phase>none</phase>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
<configuration>
<pathToPnpm>${project.basedir}/node/node_modules/corepack/dist/pnpm.js</pathToPnpm>
</configuration>
</plugin>
Is your feature request related to a problem? Please describe.
In our project we are using the frontend-maven-plugin and would like to let Dependency-Check perform the audit of the frontend libraries. It seems rather cumbersome (if not impossible) to let the PnpmAuditAnalyzer use the pnpm installed by the frontend-maven-plugin.
After said plugin installs pnpm, it would be possible to execute pnpm with the command
node\node node\node_modules\pnpm\bin\pnpm.cjs
. This, however, can not be added as "pathToPnpm" property. The PnpmAuditAnalyzer checks whether the given path is an actual path, which it is not. We also tried to use a script file with the contentnode\node node\node_modules\pnpm\bin\pnpm.cjs "$@"
, but the analyzer just says that the "Pnpm executable was not found." (furthermore, using a script would add undesired platform dependency to the dependency check process).Describe the solution you'd like
It would be very helpful if the dependency check plugin would be able to use the pnpm installed by the frontend-maven-plugin, even if it is not a single path.
Describe alternatives you've considered
Don't use the dependency check plugin for the pnpm audit part. This is for several reasons undesired though.