search

owasp-dep-scan / dep-scan

OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.
https://owasp.org/www-project-dep-scan/
MIT License
986 stars 97 forks source link

Bug: Reachability scan fails #300

Open sjpritchard opened 5 months ago

sjpritchard commented 5 months ago

Expected Behavior

Report with reachability information is produced

Actual Behavior

depscan ends with error:

DEBUG [2024-04-23 06:29:51,230] BOM Profile: research DEBUG [2024-04-23 06:29:51,231] ⚡︎ Executing "cdxgen -r -t java -o VulnerableApp-1.12.0.jar/bom.json --profile research VulnerableApp-1.12.0.jar" DEBUG [2024-04-23 06:30:12,861] About to identify class names for all jars in the path /tmp/war-deps-WKbOt3 /tmp/war-deps-WKbOt3 did not contain any jars. Maven search appears to be unavailable. Search will be skipped for all remaining packages. Cleaning up /tmp/war-deps-WKbOt3 node:fs:2342 return binding.writeFileUtf8( ^

Error: ENOTDIR: not a directory, open 'VulnerableApp-1.12.0.jar/bom.json' at Object.writeFileSync (node:fs:2342:20) at file:///home/steve/.nvm/versions/node/v20.12.2/lib/node_modules/@cyclonedx/cdxgen/bin/cdxgen.js:469:12 { errno: -20, code: 'ENOTDIR', syscall: 'open', path: 'VulnerableApp-1.12.0.jar/bom.json' }

Node.js v20.12.2

DEBUG [2024-04-23 06:30:12,861] Bom file VulnerableApp-1.12.0.jar/bom.json was not created successfully

Steps to Reproduce

depscan --profile research -t java -i VulnerableApp-1.12.0.jar --debug

Additional Information

sjpritchard commented 5 months ago

I tried running it by referring to the folder and not the .jar file, with the following result:

depscan --profile research -t java -i test --debug

DEBUG [2024-04-23 06:40:10,648] BOM Profile: research DEBUG [2024-04-23 06:40:10,648] ⚡︎ Executing "cdxgen -r -t java -o test/bom.json --profile research test" DEBUG [2024-04-23 06:40:11,530] Bom file doesn't exist. Check if cdxgen was invoked with the correct type argument. Set the environment variable CDXGEN_DEBUG_MODE to debug to troubleshoot the issue further.

DEBUG [2024-04-23 06:40:11,531] Bom file test/bom.json was not created successfully

sjpritchard commented 5 months ago

I realised that I should have been scanning the source, however I still get the following error:

depscan --profile research -t java -i ./VulnerableApp/src --debug

DEBUG [2024-04-23 07:00:36,166] BOM Profile: research DEBUG [2024-04-23 07:00:36,166] ⚡︎ Executing "cdxgen -r -t java -o ./VulnerableApp/src/bom.json --profile research ./VulnerableApp/src" DEBUG [2024-04-23 07:00:37,046] Bom file doesn't exist. Check if cdxgen was invoked with the correct type argument. Set the environment variable CDXGEN_DEBUG_MODE to debug to troubleshoot the issue further.

DEBUG [2024-04-23 07:00:37,046] Bom file ./VulnerableApp/src/bom.json was not created successfully

prabhu commented 5 months ago

@sjpritchard Is there a public repo for the app you are scanning? The -i or --src argument must point to the directory containing the source. Often this would be the root directory containing pom.xml or package-lock.json etc.

If you are already inside inside the application directory, you can pass dot as the directory name. -i .