search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.31k stars 1.26k forks source link

Pnpm Audit Analyzer registry url #5664

Open myzonjkee opened 1 year ago

myzonjkee commented 1 year ago

Is your feature request related to a problem? Please describe. Pnpm Audit Analyzer throws ECONNREFUSED error due to npm registry. It would be great to be able to specify my own npm package registry url.

Describe the solution you'd like Suggesting to add a new optional Command Line Argument called --npmRegistry <url> or just --registry <url>. Default value can be: https://registry.npmjs.org/

Additional context Cursor_and_https___jenkins_dhl_com_job_eCS_CONNECT_job_Connect-Web-UI_job_CI_job_master_57_artifact_owasp_log

GeorgS commented 10 months ago

Any news on this? Facing the same issue, would like to specify the registry URL for the audit request.

lucascloarec commented 8 months ago

Hi ! I have the same issue. I didn't understand why the registry had to be https://registry.npmjs.org/ ( https://github.com/jeremylong/DependencyCheck/blob/33c4c98e868b6b34d32ada870de79f9fa56aa42e/core/src/main/java/org/owasp/dependencycheck/analyzer/PnpmAuditAnalyzer.java#L207C31-L207C31 ). I modified my version of PNPM so that it ignores the --registry argument. The request worked correctly but the response is not suitable. I have this exception:

org.owasp.dependencycheck.analyzer.exception.AnalysisException: Failed to parse C:\jenkins\workspace\blabla\blabla\pnpm-lock.yaml file from the NPM Audit API (PnpmAuditAnalyzer) . at org.owasp.dependencycheck.analyzer.PnpmAuditAnalyzer.analyzePackage (PnpmAuditAnalyzer.java:271) at org.owasp.dependencycheck.analyzer.PnpmAuditAnalyzer.analyzeDependency (PnpmAuditAnalyzer.java:93) at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131) at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88) at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37) at java.util.concurrent.FutureTask.run (FutureTask.java:264) at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1136) at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:635) at java.lang.Thread.run (Thread.java:840) Caused by: org.json.JSONException: No value for github_advisory_id

The company I work at uses JFrog Artifactory and the pnpm audit command works perfectly on my computer. For the moment I have no other solution than to allow connection to the default registry.

stefanrybacki commented 2 weeks ago

Same here, we need to be able to provide our own registry otherwise npm will block requests if too frequent.

jeremylong commented 2 weeks ago

we accept PRs