search

sandworm-hq / sandworm-audit

Security & License Compliance For Your App's Dependencies 🪱
https://sandworm.dev
MIT License
471 stars 5 forks source link

yarn global install & exec in yarn temp env (dlx) fail; local install OK #88

Closed pgnd closed 1 year ago

pgnd commented 1 year ago

local install into project appears to work

lsb_release -rd
    Description:    Fedora release 37 (Thirty Seven)
    Release:        37

yarn -v
    3.5.0
node -v
    v18.15.0
npm -v
    9.5.0
npx -v
    9.5.0

yarn global add @sandworm/audit
    Usage Error: The 'yarn global' commands have been removed in 2.x - consider using 'yarn dlx' or a third-party plugin instead
    $ yarn run [--inspect] [--inspect-brk] [-T,--top-level] [-B,--binaries-only] <scriptName> ...

yarn dlx @sandworm/audit@latest
    ➤ YN0000: ┌ Resolution step
    ➤ YN0061: │ w3c-hr-time@npm:1.0.2 is deprecated: Use your platform's native performance.now() and performance.timeOrigin.
    ➤ YN0000: └ Completed in 3s 595ms
    ➤ YN0000: ┌ Fetch step
    ➤ YN0000: └ Completed
    ➤ YN0000: ┌ Link step
    ➤ YN0000: │ ESM support for PnP uses the experimental loader API and is therefore experimental
    ➤ YN0000: └ Completed
    ➤ YN0000: Done with warnings in 3s 806ms

    Internal Error: Binary not found (audit) for root-workspace-0b6124@workspace:.
        at h7 (/var/lib/wwwrun/.cache/node/corepack/yarn/3.5.0/yarn.js:423:1806)
        at Object.mRe (/var/lib/wwwrun/.cache/node/corepack/yarn/3.5.0/yarn.js:423:2322)
        at /var/lib/wwwrun/.cache/node/corepack/yarn/3.5.0/yarn.js:601:297
        at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
        at async $t.mktempPromise (/var/lib/wwwrun/.cache/node/corepack/yarn/3.5.0/yarn.js:314:69429)
        at async Lu.execute (/var/lib/wwwrun/.cache/node/corepack/yarn/3.5.0/yarn.js:597:62990)
        at async Lu.validateAndExecute (/var/lib/wwwrun/.cache/node/corepack/yarn/3.5.0/yarn.js:345:664)
        at async Un.run (/var/lib/wwwrun/.cache/node/corepack/yarn/3.5.0/yarn.js:359:2057)
        at async Un.runExit (/var/lib/wwwrun/.cache/node/corepack/yarn/3.5.0/yarn.js:359:2241)
        at async i (/var/lib/wwwrun/.cache/node/corepack/yarn/3.5.0/yarn.js:446:12054)

yarn add @sandworm/audit@latest
    ➤ YN0000: ┌ Resolution step
    ➤ YN0000: │ Some peer dependencies are incorrectly met; run yarn explain peer-requirements <hash> for details, where <hash> is the six-letter p-prefixed code
    ➤ YN0000: └ Completed in 3s 567ms
    ➤ YN0000: ┌ Fetch step
    ➤ YN0013: │ write-file-atomic@npm:4.0.2 can't be found in the cache and will be fetched from the remote regis
    ➤ YN0013: │ xml-name-validator@npm:3.0.0 can't be found in the cache and will be fetched from the remote regi
    ➤ YN0013: │ xmlchars@npm:2.2.0 can't be found in the cache and will be fetched from the remote registry
    ➤ YN0013: │ yargs-parser@npm:21.1.1 can't be found in the cache and will be fetched from the remote registry
    ➤ YN0013: │ yargs@npm:17.6.0 can't be found in the cache and will be fetched from the remote registry
    ➤ YN0000: └ Completed in 0s 430ms
    ➤ YN0000: ┌ Link step
    ➤ YN0000: │ ESM support for PnP uses the experimental loader API and is therefore experimental
    ➤ YN0008: │ sharp@npm:0.32.0 must be rebuilt because its dependency tree changed
    ➤ YN0000: └ Completed in 0s 744ms
    ➤ YN0000: Done with warnings in 4s 886ms

yarn info --name-only @sandworm/audit
    └─ @sandworm/audit@npm:1.35.0

yarn sandworm -d --sv
    Sandworm 🪱Security and License Compliance Audit
    √ Built dependency graph
    //
    // 💡 Save issue resolution info to your repo
    //    resolved-issues.json
    //    https://docs.sandworm.dev/audit/resolving-issues
    //
    √ Got vulnerabilities
    √ Scanned licenses
    √ Scanned issues
    √ Tree chart done
    √ Treemap chart done
    √ CSV done
    √ Report written to disk

    ⚠ Identified 2 high severity, 1 low severity issues
    🟠 caniuse-lite@1.0.30001431 Atypical license SWRM-104-caniuse-lite-1.0.30001431
    🟠 esbuild@0.15.14 Uses postinstall script SWRM-201-esbuild-0.15.14-postinstall
    ⚪ caniuse-lite@1.0.30001431 License not OSI approved SWRM-102-caniuse-lite-1.0.30001431

    ✨ Done
gabidobo commented 1 year ago

Thank you for submitting this, @pgnd! Looking into it now.

gabidobo commented 1 year ago

It turns out the proper command to use is:

yarn dlx -p @sandworm/audit sandworm

See https://github.com/yarnpkg/berry/issues/2013.

@pgnd if you can, please let me know if the command above works for you. Thanks!

pgnd commented 1 year ago

@gabidobo

sorry, i missed gh notification of your ping :-/

please let me know if the command above works for you

it no longer fails immediately, does progress, but fails "Done, but with errors:"

and it's seemingly slow ... 6+ minutes; i've no sense yet what's typical

e.g.,

time yarn dlx -p @sandworm/audit sandworm
➤ YN0000: ┌ Resolution step
➤ YN0061: │ w3c-hr-time@npm:1.0.2 is deprecated: Use your platform's native performance.now() and performance.timeOrigin.
➤ YN0000: └ Completed in 56s 262ms
➤ YN0000: ┌ Fetch step
➤ YN0000: └ Completed
➤ YN0000: ┌ Link step
➤ YN0000: │ ESM support for PnP uses the experimental loader API and is therefore experimental
➤ YN0000: └ Completed in 0s 409ms
➤ YN0000: Done with warnings in 56s 872ms

Sandworm 🪱Security and License Compliance Audit
√ Built dependency graph
√ Got vulnerabilities
√ Scanned licenses
√ Scanned issues
√ Tree chart done
√ Treemap chart done
√ CSV done
√ Report written to disk

⚠ Identified 10 high severity, 1 low severity issues
🟠 @fortawesome/free-brands-svg-icons@6.4.0 Atypical license SWRM-104-@fortawesome/free-brands-svg-icons-6.4.0
🟠 @fortawesome/free-regular-svg-icons@6.4.0 Atypical license SWRM-104-@fortawesome/free-regular-svg-icons-6.4.0
🟠 @fortawesome/free-solid-svg-icons@6.4.0 Atypical license SWRM-104-@fortawesome/free-solid-svg-icons-6.4.0
🟠 caniuse-lite@1.0.30001481 Atypical license SWRM-104-caniuse-lite-1.0.30001481
🟠 @fortawesome/fontawesome-common-types@6.4.0 Uses postinstall script SWRM-201-@fortawesome/fontawesome-common-types-6.4.0-postinstall
🟠 @fortawesome/fontawesome-svg-core@6.4.0 Uses postinstall script SWRM-201-@fortawesome/fontawesome-svg-core-6.4.0-postinstall
🟠 @fortawesome/free-brands-svg-icons@6.4.0 Uses postinstall script SWRM-201-@fortawesome/free-brands-svg-icons-6.4.0-postinstall
🟠 @fortawesome/free-regular-svg-icons@6.4.0 Uses postinstall script SWRM-201-@fortawesome/free-regular-svg-icons-6.4.0-postinstall
🟠 @fortawesome/free-solid-svg-icons@6.4.0 Uses postinstall script SWRM-201-@fortawesome/free-solid-svg-icons-6.4.0-postinstall
🟠 w3c-hr-time@1.0.2 Deprecated package SWRM-200-w3c-hr-time-1.0.2
⚪ caniuse-lite@1.0.30001481 License not OSI approved SWRM-102-caniuse-lite-1.0.30001481

✨ Done, but with errors:
❌ SyntaxError: Unexpected token ➤ in JSON at position 0
❌ Failing because of errors

real    6m11.929s
user    0m12.243s
sys     0m1.298s
gabidobo commented 1 year ago

Ok, this seems to be an error with retrieving vulnerabilities from the package manager.

I just released v1.40.0 with better console messaging around these errors, could you please give it a try? It should clarify what the underlying issue is.

pgnd commented 1 year ago

@gabidobo 

time yarn dlx -p @sandworm/audit sandworm
    ➤ YN0000: ┌ Resolution step
    ➤ YN0061: │ w3c-hr-time@npm:1.0.2 is deprecated: Use your platform's native performance.now() and performance.timeOrigin.
    ➤ YN0000: └ Completed in 58s 827ms
    ➤ YN0000: ┌ Fetch step
    ➤ YN0013: │ ini@npm:4.1.1 can't be found in the cache and will be fetched from the remote registry
    ➤ YN0013: │ semver@npm:7.5.1 can't be found in the cache and will be fetched from the remote registry
    ➤ YN0013: │ signal-exit@npm:4.0.2 can't be found in the cache and will be fetched from the remote registry
    ➤ YN0013: │ tslib@npm:2.5.2 can't be found in the cache and will be fetched from the remote registry
    ➤ YN0000: └ Completed in 0s 521ms
    ➤ YN0000: ┌ Link step
    ➤ YN0000: │ ESM support for PnP uses the experimental loader API and is therefore experimental
    ➤ YN0000: └ Completed in 0s 401ms
    ➤ YN0000: Done with warnings in 59s 807ms

    Sandworm 🪱Security and License Compliance Audit
    √ Built dependency graph
    √ Got vulnerabilities
    √ Scanned licenses
    √ Scanned issues
    √ Tree chart done
    √ Treemap chart done
    √ CSV done
    √ Report written to disk

    ⚠ Identified 10 high severity, 1 low severity issues
    🟠 @fortawesome/free-brands-svg-icons@6.4.0 Atypical license SWRM-104-@fortawesome/free-brands-svg-icons-6.4.0
    🟠 @fortawesome/free-regular-svg-icons@6.4.0 Atypical license SWRM-104-@fortawesome/free-regular-svg-icons-6.4.0
    🟠 @fortawesome/free-solid-svg-icons@6.4.0 Atypical license SWRM-104-@fortawesome/free-solid-svg-icons-6.4.0
    🟠 caniuse-lite@1.0.30001481 Atypical license SWRM-104-caniuse-lite-1.0.30001481
    🟠 @fortawesome/fontawesome-common-types@6.4.0 Uses postinstall script SWRM-201-@fortawesome/fontawesome-common-types-6.4.0-postinstall
    🟠 @fortawesome/fontawesome-svg-core@6.4.0 Uses postinstall script SWRM-201-@fortawesome/fontawesome-svg-core-6.4.0-postinstall
    🟠 @fortawesome/free-brands-svg-icons@6.4.0 Uses postinstall script SWRM-201-@fortawesome/free-brands-svg-icons-6.4.0-postinstall
    🟠 @fortawesome/free-regular-svg-icons@6.4.0 Uses postinstall script SWRM-201-@fortawesome/free-regular-svg-icons-6.4.0-postinstall
    🟠 @fortawesome/free-solid-svg-icons@6.4.0 Uses postinstall script SWRM-201-@fortawesome/free-solid-svg-icons-6.4.0-postinstall
    🟠 w3c-hr-time@1.0.2 Deprecated package SWRM-200-w3c-hr-time-1.0.2
    ⚪ caniuse-lite@1.0.30001481 License not OSI approved SWRM-102-caniuse-lite-1.0.30001481

    ✨ Done, but with errors:
    ❌ Error: Error getting vulnerability report from yarn: Unexpected token ➤ in JSON at position 0 => ➤ YN0035: Bad Request
    ➤ YN0035:   Response Code: 400 (Bad Request)
    ➤ YN0035:   Request Method: POST
    ➤ YN0035:   Request URL: https://registry.yarnpkg.com/-/npm/v1/security/audits/quick

    ➤ Errors happened when preparing the environment required to run this command.
    ➤ This might be caused by packages being missing from the lockfile, in which case running "yarn install" might help.

        at getDependencyVulnerabilities (/var/lib/wwwrun/.yarn/berry/cache/@sandworm-audit-npm-1.42.0-fab3def249-8.zip/node_modules/@sandworm/audit/src/issues/vulnerabilities.js:149:11)
        at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
        at async getReport (/var/lib/wwwrun/.yarn/berry/cache/@sandworm-audit-npm-1.42.0-fab3def249-8.zip/node_modules/@sandworm/audit/src/index.js:68:33)
        at async exports.handler (/var/lib/wwwrun/.yarn/berry/cache/@sandworm-audit-npm-1.42.0-fab3def249-8.zip/node_modules/@sandworm/audit/src/cli/cmds/audit.js:248:9)
    ❌ Failing because of errors

    real    5m59.922s
    user    0m12.831s
    sys     0m1.433s
gabidobo commented 1 year ago

@pgnd this seems to be an underlying issue with Yarn audit: https://github.com/yarnpkg/berry/issues/4117

Can you please try to run yarn audit and see if the error replicates? If it does, maybe leave a comment on the issue above, so the Yarn team prioritizes a fix.

github-actions[bot] commented 1 year ago

This issue is stale because it has been open for 30 days with no activity.

github-actions[bot] commented 1 year ago

This issue was closed because it has been inactive for 14 days since being marked as stale.