XRay doesn't scan dependencies in NPM builds

[tkatrichenko]

I'm trying to integrate build scan feature to CI for our npm-based projects. Here're the steps in my pipeline

script:
    - curl -fL https://install-cli.jfrog.io | sh
    - CI=true jf config add my-server --url https://my-server.jfrog.io --user ${ARTIFACTORY_USERNAME} --password ${ARTIFACTORY_PASSWORD}
    - jf npm-config --server-id-resolve my-server --server-id-deploy my-server --repo-resolve npm-local --repo-deploy npm-local
    - npm install
    - jf npm install --build-name=my-build --build-number=$CI_COMMIT_SHORT_SHA
    - jf npm publish --build-name=my-build --build-number=$CI_COMMIT_SHORT_SHA
    - jf rt build-publish my-build $CI_COMMIT_SHORT_SHA
    - jf build-scan my-build $CI_COMMIT_SHORT_SHA

I have to do plain npm install first to pull dependencies from the public registry (registry.npmjs.org) because my artifactory repo is empty and jf npm install fails with 404 error

All my dependencies are listed in package.json file and if I run npm audit it says that I have some vulnerabilities. However, when I publishing build to artifactory and scan it with an XRay, no vulnerabilities/licenses found. Looks like XRay doesn't scan dependencies.

Is it because I download dependencies from public registry? How can I manage to scan dependencies in this case?

[sergiomarotco]

i have same problem

[abdsahin]

Did you find any resolution to that issue?

[tkatrichenko]

Did you find any resolution to that issue?

No :( Hoped to get some clues here.

[sverdlov93]

Hi @tkatrichenko, and @sergiomarotco @abdsahin.

• First, npm audit and jf build-scan are different commands. The jf build-scan is scanning the dependencies list that exists on the build-info file recorded during the jf npm install command. Can you use the JFrog Platform UI to find the created build and open the dependencies tab to see if all the project's dependencies exist there?

• Also, can you run jf audit command and see which vulnerabilities are found?

• Another thing you should consider is that jf build scan is scanning a build according to the watch and policy that is assigned to that build in the Xray section in the Platform UI.

  You can run jf build-scan with the --vuln flag to get all existing vulnerabilities.

• Lastly, can you share an example of a dependency and its version that exists in your package.json and is vulnerable according to npm audit but not exists on the build scan command?

[tkatrichenko]

Hi @sverdlov93, thanks for replying

The jf build-scan is scanning the dependencies list that exists on the build-info file recorded during the jf npm install command.

When I run jf npm install I got Build-info dependencies collection is not supported for installations of single packages. Build-info creation is skipped. Looks like it's a reason why it doesn't scan dependencies as build-info file wasn't created. But why is this message comes up? Why jf npm install says it's a single package installation? Is it because my npm repo is empty and I pull all dependencies from the public repo?

In this page it says

The dependencies are resolved from the Artifactory server and repository configured by npm-config command.

Does it mean that if my Artifactory repo does not contain any dependencies it will treat the installation as "single-packaged"?

---

In both npm audit and jf audit I see similar vulnerabilities list. For example storybook

│ 🔥High     │ @storybook/react       │ 6.5.16     │ clean-css     │ 4.2.4      │ [5.2.2]  │ npm  │

[sverdlov93]

@tkatrichenko BTW, the missing space here is a copy-paste mistake or it's actually on your script lines? jf npm install --build-name=my-build--build-number=$CI_COMMIT_SHORT_SHA

Also, Can you run the command with the environment variable JFROG_CLI_LOG_LEVEL=DEBUG and share the logs?

[tkatrichenko]

@tkatrichenko BTW, the missing space here is a copy-paste mistake or it's actually on your script lines? jf npm install --build-name=my-build--build-number=$CI_COMMIT_SHORT_SHA

No, it was just a typo

Also, Can you run the command with the environment variable JFROG_CLI_LOG_LEVEL=DEBUG and share the logs? Which command?

# JFROG_CLI_LOG_LEVEL=DEBUG jf npm install --cache .npm --build-name=my-build --build-number=$CI_COMMIT_SHORT_SHA
15:28:52 [Debug] JFrog CLI version: 2.34.6
15:28:52 [Debug] OS/Arch: linux/amd64
15:28:52 [🔵Info] Running npm install.
15:28:52 [Debug] Preparing to read the config file /app/.jfrog/projects/npm.yaml
15:28:52 [Debug] Found resolver in the config file /app/.jfrog/projects/npm.yaml
15:28:52 [Debug] Preparing prerequisites...
15:28:52 [Debug] Usage Report: Sending info...
15:28:52 [Debug] Using npm executable: /usr/local/bin/npm
15:28:52 [Debug] Running npm -version command.
15:28:52 [Debug] Sending HTTP GET request to: https://mycompany.jfrog.io/artifactory/api/system/version
15:28:53 [Debug] npm -version standard output is:
6.14.17

15:28:53 [Debug] Using npm version: 6.14.17

15:28:53 [Debug] Artifactory response: 200
15:28:53 [Debug] JFrog Artifactory version is: 7.55.3
15:28:53 [Debug] Sending HTTP POST request to: https://mycompany.jfrog.io/artifactory/api/system/usage
15:28:53 [Debug] Working directory set to: /app
15:28:53 [Debug] Sending HTTP GET request to: https://mycompany.jfrog.io/artifactory/api/system/version
15:28:53 [Debug] Usage Report: Artifactory response: 200
15:28:53 [Debug] Usage Report: Usage info sent successfully.
15:28:54 [Debug] Artifactory response: 200
15:28:54 [Debug] JFrog Artifactory version is: 7.55.3
15:28:54 [Debug] Sending npm auth request
15:28:54 [Debug] Sending HTTP GET request to: https://mycompany.jfrog.io/artifactory/api/npm/auth
15:28:55 [Debug] Sending HTTP GET request to: https://mycompany.jfrog.io/artifactory/api/repositories/npm-local
15:28:55 [Debug] The file /app/.npmrc was backed up successfully to /app/jfrog.npmrc.backup
15:28:55 [🔵Info] Build-info dependencies collection is not supported for installations of single packages. Build-info creation is skipped.
15:28:55 [Debug] Creating project .npmrc file.
15:28:56 [Debug] Removing Existing .npmrc file
15:28:56 [Debug] Running npm install command.
npm WARN acorn-import-assertions@1.8.0 requires a peer of acorn@^8 but none is installed. You must install peer dependencies yourself.
npm WARN webpack-filter-warnings-plugin@1.2.1 requires a peer of webpack@^2.0.0 || ^3.0.0 || ^4.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules/watchpack-chokidar2/node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.3.2 (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})

up to date in 42.936s

339 packages are looking for funding
  run `npm fund` for details

15:29:42 [🔵Info] npm install finished successfully.
15:29:42 [Debug] Restored the file /app/.npmrc successfully

[sverdlov93]

@tkatrichenko Got it. First, what is the --cache flag here: npm install --cache .npm I'm not familiar with the --cache flag on the npm install command and it does not exist in npm's help section. npm is a very forgiving CLI and it's not failing on nonexisting flags.

The above issue happens because JFrog CLI collects build-info only for the plain jf npm install command and not for jf npm install <module>. In your case, it considered the .npm as a module and therefore it didn't record the build-info. Can you try running the command without the --cache .npm?

[tkatrichenko]

@sverdlov93, thanks for the hint. Thought npm --cache just overrides the default cache location (~/.npm by default).

But okay, I ran it w/o cache key, and some new Warns appeared

# JFROG_CLI_LOG_LEVEL=DEBUG jf npm install --build-name=my-build --build-number=1
18:44:32 [Debug] JFrog CLI version: 2.34.6
18:44:32 [Debug] OS/Arch: linux/amd64
18:44:32 [🔵Info] Running npm install.
18:44:32 [Debug] Preparing to read the config file /app/.jfrog/projects/npm.yaml
18:44:32 [Debug] Found resolver in the config file /app/.jfrog/projects/npm.yaml
18:44:32 [Debug] Preparing prerequisites...
18:44:32 [Debug] Using npm executable: /usr/local/bin/npm
18:44:32 [Debug] Usage Report: Sending info...
18:44:32 [Debug] Running npm -version command.
18:44:32 [Debug] Sending HTTP GET request to: https://mycompany.jfrog.io/artifactory/api/system/version
18:44:32 [Debug] npm -version standard output is:
6.14.17

18:44:32 [Debug] Using npm version: 6.14.17

18:44:33 [Debug] Working directory set to: /app
18:44:33 [Debug] Sending HTTP GET request to: https://mycompany.jfrog.io/artifactory/api/system/version
18:44:33 [Debug] Artifactory response: 200
18:44:33 [Debug] JFrog Artifactory version is: 7.55.3
18:44:33 [Debug] Sending HTTP POST request to: https://mycompany.jfrog.io/artifactory/api/system/usage
18:44:34 [Debug] Artifactory response: 200
18:44:34 [Debug] JFrog Artifactory version is: 7.55.3
18:44:34 [Debug] Sending npm auth request
18:44:34 [Debug] Sending HTTP GET request to: https://mycompany.jfrog.io/artifactory/api/npm/auth
18:44:34 [Debug] Usage Report: Artifactory response: 200
18:44:34 [Debug] Usage Report: Usage info sent successfully.
18:44:35 [Debug] Sending HTTP GET request to: https://mycompany.jfrog.io/artifactory/api/repositories/npm-local
18:44:35 [Debug] The file /app/.npmrc was backed up successfully to /app/jfrog.npmrc.backup
18:44:35 [Debug] Saving build general details at: /tmp/jfrog/builds/6700eccfc4adb3489683b6a651f5cd6e69f405c3704e880f81f9cc32da54c128/partials
18:44:35 [Debug] Using npm executable: /usr/local/bin/npm
18:44:35 [Debug] Running npm -version command.
18:44:35 [Debug] npm -version standard output is:
6.14.17

18:44:35 [Debug] Using npm version: 6.14.17

18:44:35 [Debug] Creating project .npmrc file.
18:44:36 [Debug] Removing Existing .npmrc file
18:44:36 [Debug] Running npm install command.
npm WARN webpack-filter-warnings-plugin@1.2.1 requires a peer of webpack@^2.0.0 || ^3.0.0 || ^4.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.3.2 (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules/watchpack-chokidar2/node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})

up to date in 48.773s

339 packages are looking for funding
  run `npm fund` for details

18:45:26 [Debug] Running npm ls command.
18:45:52 [🟠Warn] npm list command failed with error: error while running the command :'/usr/local/bin/npm ls --json --all --long'
Error output is:
npm ERR! peer dep missing: webpack@^2.0.0 || ^3.0.0 || ^4.0.0, required by webpack-filter-warnings-plugin@1.2.1

Command error: is:
exit status 1
18:45:52 [🟠Warn] Some errors occurred while collecting dependencies info:
npm ERR! peer dep missing: webpack@^2.0.0 || ^3.0.0 || ^4.0.0, required by webpack-filter-warnings-plugin@1.2.1

18:45:52 [Debug] Running npm -version command.
18:45:53 [Debug] npm -version standard output is:
6.14.17

18:45:54 [Debug] Running npm config command.
18:45:55 [Debug] npm config standard output is:
/app/.npm

18:46:14 [Debug] Creating temp build file at: /tmp/jfrog/builds/6700eccfc4adb3489683b6a651f5cd6e69f405c3704e880f81f9cc32da54c128
18:46:14 [Debug] Creating temp build file at: /tmp/jfrog/builds/6700eccfc4adb3489683b6a651f5cd6e69f405c3704e880f81f9cc32da54c128
18:46:14 [🔵Info] npm install finished successfully.
18:46:14 [Debug] Restored the file /app/.npmrc successfully

Also, that Build-info dependencies collection is not supported message is gone. But I still can't find any build-info file either inside project's directory or at /tmp/jfrog/

And still jf build-scan shows

┌───────────────────────────────────┐
│ No security violations were found │
└───────────────────────────────────┘

[sverdlov93]

@tkatrichenko We are using npm ls command to get the dependencies list and it looks like the command is failing on your project.

[tkatrichenko]

There's another npm project with fewer dependencies. And npm ls passes with no errors, so I ran the same there

jf npm install shows

# JFROG_CLI_LOG_LEVEL=DEBUG jf npm install --build-name=my-build --build-number=1
07:49:22 [Debug] JFrog CLI version: 2.34.6
07:49:22 [Debug] OS/Arch: linux/amd64
07:49:22 [Info] Running npm install.
07:49:22 [Debug] Preparing to read the config file /app/.jfrog/projects/npm.yaml
07:49:22 [Debug] Found resolver in the config file /app/.jfrog/projects/npm.yaml
07:49:22 [Debug] Preparing prerequisites...
07:49:22 [Debug] Usage Report: Sending info...
07:49:22 [Debug] Using npm executable: /usr/local/bin/npm
07:49:22 [Debug] Running npm -version command.
07:49:22 [Debug] Sending HTTP GET request to: https://mycompany.jfrog.io/artifactory/api/system/version
07:49:22 [Debug] npm -version standard output is:
6.14.17

07:49:22 [Debug] Using npm version: 6.14.17

07:49:22 [Debug] Working directory set to: /app
07:49:22 [Debug] Sending HTTP GET request to: https://mycompany.jfrog.io/artifactory/api/system/version
07:49:22 [Debug] Artifactory response: 200 
07:49:23 [Debug] JFrog Artifactory version is: 7.55.3
07:49:23 [Debug] Sending HTTP POST request to: https://mycompany.jfrog.io/artifactory/api/system/usage
07:49:23 [Debug] Artifactory response: 200 
07:49:23 [Debug] JFrog Artifactory version is: 7.55.3
07:49:23 [Debug] Sending npm auth request
07:49:23 [Debug] Sending HTTP GET request to: https://mycompany.jfrog.io/artifactory/api/npm/auth
07:49:23 [Debug] Usage Report: Artifactory response: 200 
07:49:23 [Debug] Usage Report: Usage info sent successfully.
07:49:23 [Debug] Sending HTTP GET request to: https://mycompany.jfrog.io/artifactory/api/repositories/npm-local
07:49:24 [Debug] Saving build general details at: /tmp/jfrog/builds/e043f9662eab13aba5b41fddd3e0a4425ed018ca23c837039784413d4137f22c/partials
07:49:24 [Debug] Using npm executable: /usr/local/bin/npm
07:49:24 [Debug] Running npm -version command.
07:49:24 [Debug] npm -version standard output is:
6.14.17

07:49:24 [Debug] Using npm version: 6.14.17

07:49:24 [Debug] Creating project .npmrc file.
07:49:24 [Debug] Running npm install command.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.3.2 (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})

up to date in 17.567s

113 packages are looking for funding
  run `npm fund` for details

07:49:43 [Debug] Running npm ls command.
07:50:00 [Debug] npm ls standard output is:
{
<long json output>
}
07:50:00 [Debug] Running npm -version command.
07:50:00 [Debug] npm -version standard output is:
6.14.17

07:50:01 [Debug] Running npm config command.
07:50:01 [Debug] npm config standard output is:
/app/.npm

07:50:11 [Debug] Creating temp build file at: /tmp/jfrog/builds/e043f9662eab13aba5b41fddd3e0a4425ed018ca23c837039784413d4137f22c
07:50:11 [Debug] Creating temp build file at: /tmp/jfrog/builds/e043f9662eab13aba5b41fddd3e0a4425ed018ca23c837039784413d4137f22c
07:50:11 [Info] npm install finished successfully.

again no build-info file

jf audit shows

# jf audit
07:40:25 [🔵Info] Log path: /root/.jfrog/logs/jfrog-cli.2023-03-09.07-40-25.636.log
The full scan results are available here: /tmp/jfrog.cli.temp.-1678347654-4210480906
Note: no context was provided, so no policy could be determined to scan against.
You can get a list of custom violations by providing one of the command options: --watches, --repo-path or --project.
Read more about configuring Xray policies here: https://www.jfrog.com/confluence/display/JFROG/Creating+Xray+Policies+and+Rules
Below are all vulnerabilities detected.
Vulnerabilities
┌──────────┬────────────────────┬────────────┬────────────┬────────────┬──────────┬──────┬────────────────┐
│ SEVERITY │ DIRECT             │ DIRECT     │ IMPACTED   │ IMPACTED   │ FIXED    │ TYPE │ CVE            │
│          │ DEPENDENCY         │ DEPENDENCY │ DEPENDENCY │ DEPENDENCY │ VERSIONS │      │                │
│          │                    │ VERSION    │ NAME       │ VERSION    │          │      │                │
├──────────┼────────────────────┼────────────┼────────────┼────────────┼──────────┼──────┼────────────────┤
│ 🔥High   │ openapi-typescript │ 6.1.0      │ undici     │ 5.16.0     │ [5.19.1] │ npm  │ CVE-2023-24807 │
├──────────┼────────────────────┼────────────┼────────────┼────────────┼──────────┼──────┼────────────────┤
│ 🎃Medium │ openapi-typescript │ 6.1.0      │ undici     │ 5.16.0     │ [5.19.1] │ npm  │ CVE-2023-23936 │

And jf build-scan says again

# jf build-scan my-build 1
07:54:34 [🔵Info] Scan of build my-build is in progress
07:54:34 [🔵Info] Waiting for Build Scan to complete...
07:54:34 [🔵Info] The scan data is available at: https://mycompany.jfrog.io/ui/builds/my-build/1/1678345808207/xrayData?buildRepo=build-info
The full scan results are available here: /tmp/jfrog.cli.temp.-1678348474-441780038
┌───────────────────────────────────┐
│ No security violations were found │
└───────────────────────────────────┘
┌─────────────────────────────────────────────┐
│ No license compliance violations were found │
└─────────────────────────────────────────────┘

[sverdlov93]

@tkatrichenko Can you run the build-scan command with --vuln flag? And can you provide a simple package.json that reproduces the issue?

[tkatrichenko]

With --vuln flag

# jf build-scan my-build 1 --project=my-project --vuln
10:09:01 [🔵Info] Scan of build my-build is in progress
10:09:01 [🔵Info] Waiting for Build Scan to complete...
10:09:02 [🔵Info] The scan data is available at: https://mycompany.jfrog.io/ui/builds/my-build/1/1678345808207/xrayData?buildRepo=build-info
The full scan results are available here: /tmp/jfrog.cli.temp.-1678356542-4155181354
┌───────────────────────────────────┐
│ No security violations were found │
└───────────────────────────────────┘
┌─────────────────────────────────────────────┐
│ No license compliance violations were found │
└─────────────────────────────────────────────┘
The full scan results are available here: /tmp/jfrog.cli.temp.-1678356542-1754029125
Note: no context was provided, so no policy could be determined to scan against.
You can get a list of custom violations by providing one of the command options: --watches, --repo-path or --project.
Read more about configuring Xray policies here: https://www.jfrog.com/confluence/display/JFROG/Creating+Xray+Policies+and+Rules
Below are all vulnerabilities detected.
┌─────────────────────────────────────┐
│ ✨ No vulnerabilities were found ✨ │
└─────────────────────────────────────┘

Here's package.json

{
  "name": "my-project",
  "version": "0.1.0",
  "private": true,
  "homepage": "/",
  "dependencies": {
    "@react-keycloak/web": "^3.4.0",
    "bootstrap": "^5.2.3",
    "eventsource": "^2.0.2",
    "keycloak-js": "^20.0.3",
    "normalize.css": "^8.0.1",
    "react": "^18.2.0",
    "react-dom": "^18.2.0",
    "react-hook-form": "^7.43.1",
    "react-router-dom": "^6.8.1",
    "reactstrap": "^9.1.5",
    "web-vitals": "^2.1.4",
    "zustand": "^4.3.5"
  },
  "scripts": {
    "start": "webpack serve --env mode=development --config config/webpack.config.ts",
    "build": "npm run clean && webpack --env mode=production --config config/webpack.config.ts",
    "clean": "rimraf build",
    "prettier": "prettier '{config,src}/**/*.{js,jsx,ts,tsx}' --write"
  },
  "eslintConfig": {
    "extends": [
      "react-app",
      "react-app/jest"
    ]
  },
  "browserslist": {
    "production": [
      ">0.2%",
      "not dead",
      "not op_mini all"
    ],
    "development": [
      "last 1 chrome version",
      "last 1 firefox version",
      "last 1 safari version"
    ]
  },
  "devDependencies": {
    "@babel/core": "^7.21.0",
    "@babel/preset-env": "^7.20.2",
    "@babel/preset-react": "^7.18.6",
    "@babel/preset-typescript": "^7.21.0",
    "@testing-library/jest-dom": "^5.16.5",
    "@testing-library/react": "^14.0.0",
    "@testing-library/user-event": "^14.4.3",
    "@types/jest": "^29.4.0",
    "@types/node": "^18.14.5",
    "@types/react": "^18.0.28",
    "@types/react-dom": "^18.0.11",
    "@types/react-router-dom": "^5.3.3",
    "@types/webpack": "^5.28.0",
    "@types/webpack-bundle-analyzer": "^4.6.0",
    "@types/webpack-dev-server": "^4.7.2",
    "autoprefixer": "^10.4.13",
    "babel-plugin-typescript-to-proptypes": "^2.0.0",
    "buffer": "^6.0.3",
    "compression-webpack-plugin": "^10.0.0",
    "css-loader": "^6.7.3",
    "css-minimizer-webpack-plugin": "^4.2.2",
    "html-webpack-plugin": "^5.5.0",
    "mini-css-extract-plugin": "^2.7.2",
    "openapi-typescript": "^6.1.0",
    "openapi-typescript-codegen": "^0.23.0",
    "postcss-loader": "^7.0.2",
    "prettier": "2.8.4",
    "process": "^0.11.10",
    "sass": "^1.58.3",
    "sass-loader": "^13.2.0",
    "stream-browserify": "^3.0.0",
    "style-loader": "^3.3.1",
    "ts-loader": "^9.4.2",
    "ts-node": "^10.9.1",
    "typescript": "^4.9.5",
    "webpack": "^5.75.0",
    "webpack-bundle-analyzer": "^4.8.0",
    "webpack-cli": "^5.0.1",
    "webpack-dev-server": "^4.11.1"
  }
}

[sverdlov93]

@tkatrichenko Installing your example I am getting "openapi-typescript": "6.1.0" and sub dependency "undici": "5.20.0" which is indeed not vulnerable. (fixed by 5.19 and up)

[harshaaws]

I am facing something similar as well for my builds and i see the following in bit bucket pipelines, Any fix to this solution?

``jf bs ${BITBUCKET_REPO_SLUG} ${BITBUCKET_BUILD_NUMBER} 5s

• jf bs ${BITBUCKET_REPO_SLUG} ${BITBUCKET_BUILD_NUMBER} 18:06:27 [Info] Scan of build test-repos is in progress 18:06:27 [Info] Waiting for Build Scan to complete... 18:06:32 [Info] The scan data is available at: https://xxxxx/xrayData?buildRepo=artifactory-build-info The full scan results are available here: /tmp/jfrog.cli.temp.-1680113192-2574147335 +-----------------------------------+ | No security violations were found | +-----------------------------------+ +---------------------------------------------+ | No license compliance violations were found |```

[sverdlov93]

@harshaaws Your build is assigned to an Xray watch that has some policy rules. Violations = Vulnerabilities that violate at least one policy rule with fail-build checked.

You can run the command with --vuln flag to get an additional table with all vulnerabilities regardless of the policy rules. You can also run jf audit to run a local scan of your project's dependencies. You can also use JFROG_CLI_LOG_LEVEL=DEBUG env var to show more log information during the run.

[Jan-Pleva]

Hi, I got the same issue: [Info] Build-info dependencies collection is not supported for installations of single packages. Build-info creation is skipped. `Executing JFrog CLI Command: /opt/hostedtoolcache/jf/2.34.6/x64/jf c add "ROSS-JFROG_20230425.10_npminstall_resolver_1682440297176" --artifactory-url="https://artifactory.skoda.vwgroup.com/artifactory" --interactive=false --access-token=***

Executing JFrog CLI Command: /opt/hostedtoolcache/jf/2.34.6/x64/jf c use "ROSS-JFROG_20230425.10_npminstall_resolver_1682440297176" 16:31:37 [Info] Using server ID 'ROSS-JFROG_20230425.10_npminstall_resolver_1682440297176' ().

Executing JFrog CLI Command: /opt/hostedtoolcache/jf/2.34.6/x64/jf npmc --server-id-resolve="ROSS-JFROG_20230425.10_npminstall_resolver_1682440297176" --repo-resolve="front-npm-virtual" 16:31:37 [Info] npm build config successfully created.

Executing JFrog CLI Command: /opt/hostedtoolcache/jf/2.34.6/x64/jf npm i --no-package-lock --omit=dev --loglevel verbose --build-name="ross-external-gateway-web" --build-number="20230425.10" --threads="1" 16:31:37 [Info] Running npm install.

npm http fetch GET 200 https://artifactory.skoda.vwgroup.com/artifactory/api/npm/front-npm-virtual/chalk 442ms

npm http fetch GET 200 https://artifactory.skoda.vwgroup.com/artifactory/api/npm/front-npm-virtual/babel-preset-react-app 449ms

npm http fetch GET 200 https://artifactory.skoda.vwgroup.com/artifactory/api/npm/front-npm-virtual/case-sensitive-paths-webpack-plugin 449ms ` But the build-info is empty :(

[sverdlov93]

Hi @Jan-Pleva, can you show your full logs including the npm install command? ( with JFROG_CLI_LOG_LEVEL=debug env) The following message: Build-info dependencies collection is not supported for installations of single packages. Build-info creation is skipped. means that the requested npm install command contained another variable ( npm install ) and build info is not collected for such commands?

[Jan-Pleva]

Hi, I try to add JFROG logs, but we use JFrog Azure DevOps Extensions, so there is no option for debug mode. I also remove the "--loglevel verbose" which seems to do the magic and build-info start to work. So thank you for directing me.

[sverdlov93]

Just to let you know, you can add the JFROG_CLI_LOG_LEVEL on the Azure DevOps variables section:

And yeah, you should always use the = when wrapping npm (or other build tools) with jfrog cli tasks. so --loglevel=verbose is the right way here.

[shiplet]

Resurrecting this thread a bit - have experienced pretty much the same thing as the above commenters, so I put together a very limited build & package.json with an intentional vulnerability, as derived & isolated from a larger application.

Here's the package.json:

{
  "name": "intentionally-vulnerable-app",
  "version": "1.0.1",
  "description": "An intentionally vulnerable app",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "unset-value": "^1.0.0"
  }
}

Here's the npm ls --all:

intentionally-vulnerable-app@1.0.1 <path to repo>
└─┬ unset-value@1.0.0
  ├─┬ has-value@0.3.1
  │ ├── get-value@2.0.6
  │ ├── has-values@0.1.4
  │ └─┬ isobject@2.1.0
  │   └── isarray@1.0.0
  └── isobject@3.0.1

Here's the application logic, written based on the CVE documentation given with the JSON output from jf audit:

const unset = require('unset-value');
const evilprop = process.argv[2];
const x = {}
unset({}, evilprop);
console.log(x);

Here's the jf audit results:

SEVERITY	CONTEXTUAL ANALYSIS	DIRECT DEPENDENCY	DIRECT DEPENDENCY VERSION	IMPACTED DEPENDENCY NAME	IMPACTED DEPENDENCY VERSION	FIXED VERSIONS	TYPE	CVE
💀 Critical	Undetermined	unset-value	1.0.0	unset-value	1.0.0	[2.0.1]	npm

Here's the XRay dashboard for the build results:

Here's the build & publish steps I've used on the CLI:

$ buildnumber=$(git rev-parse HEAD | cut -c 1-7); \
> buildname=vuln-build; \
> jf npm install --build-name=$buildname --build-number=$buildnumber; \
> jf npm publish --build-name=$buildname --build-number=$buildnumber; \
> jf rt bp $buildname $buildnumber; \
> jf bs $buildname $buildnumber --vuln

And here's the final output from the jf bs $buildname $buildnumber --vuln:

12:47:51 [🔵Info] Scan of build vuln-build is in progress
12:47:51 [🔵Info] Waiting for Build Scan to complete...
12:47:52 [🔵Info] The scan data is available at: <build-link>

💬 The full scan results are available here:
<tmp-folder>

┌───────────────────────────────────┐
│ No security violations were found │
└───────────────────────────────────┘
┌─────────────────────────────────────────────┐
│ No license compliance violations were found │
└─────────────────────────────────────────────┘

💬 The full scan results are available here: 
<tmp-folder>

┌─────────────────────────────────────┐
│ ✨ No vulnerabilities were found ✨ │
└─────────────────────────────────────┘

I've also got XRay watches & policies set up to index this build and flag anything with Medium or higher severity, and fail anything with High severity or higher.

[max4578]

Hello, bringing my experience in case someone has the same case as me. Had the same issue where audit was working, but build scan did not give me any violations or vulnerabilities. Thing is I am under a corporate proxy and have no access to the npmjs registry directly.

So we are using a remote repository as a mirror on our own artifactory. To make the scan work I had Xray to index that remote repository pointing to the npmjs registry. I expected Xray to find violation according the dependency name and what it found in his database (It does the trick for maven). But it seems it need the dependency to be indexed so it can work for NPM.

I was using literally the same command previously mentionned with the latest version of jfrog cli & npm.

[imranzunzani]

Try setting: "bundleDependencies": true in package.json, and see whether that works.