Unexpected error while analysis of yarn.lock created by bun - Githubissues

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.49k stars 1.29k forks source link

Unexpected error while analysis of yarn.lock created by bun #5962

Open tina-junold opened 1 year ago

tina-junold commented 1 year ago

Describe the bug When using bun instead of yarn to generate a lock file, the format does not match the expectations of the analyzer

Version of dependency-check used latest docker version, using the script in the description on docker hub

Log file https://gist.github.com/tburschka/377fb54eaa196271fd6dda44a1944c6c

To Reproduce

Install bun https://bun.sh/docs/installation
use any project with a package.json
create a bunfig.toml
add this to the bunfig.toml:

[install.lockfile]
print = "yarn"

run bun install
run the dependency-check script from docker description

Expected behavior The analysis of the yarn.lock should not fail

Additional context alternative: support for the bun.lockb (binary) lockfile ;-)

chadlwilson commented 12 months ago

All the YarnAuditAnalyzer does is to run yarn audit if it detects a yarn.lock. it doesn't actually parse the lock file directly.

If you have yarn available, but yarn itself cannot understand bun-created lock files, then ODC can't do much about that. If you do not have yarn available then I guess you'd expect this to fail. - although maybe not as gracefully as would be useful.

FWIW, right now ODC's YarnAuditAnalayzer doesn't work with Yarn Berry (v2+) anyway (#4215 & #4894) and you get a similar error, so it may be related - especially if bun is generating yarn v2+ format lockfiles that would only work with Yarn Berry.