search

trailofbits / it-depends

A tool to automatically build a dependency graph and Software Bill of Materials (SBOM) for packages and arbitrary source code repositories.
https://blog.trailofbits.com/2021/12/16/it-depends/
GNU Lesser General Public License v3.0
328 stars 20 forks source link

Errors with and without npm when auditing `npm:astro` #70

Open woodruffw opened 2 years ago

woodruffw commented 2 years ago

Reported by @ran-dall on the OpenSSF Slack:

# it-depends npm:astro
Traceback (most recent call last):                             
  File "/usr/local/bin/it-depends", line 33, in <module>
    sys.exit(load_entry_point('it-depends', 'console_scripts', 'it-depends')())
  File "/it-depends/it_depends/cli.py", line 244, in main
    package_list = resolve(
  File "/it-depends/it_depends/dependencies.py", line 1045, in resolve
    result = finished.result()
  File "/usr/lib64/python3.10/concurrent/futures/_base.py", line 439, in result
    return self.__get_result()
  File "/usr/lib64/python3.10/concurrent/futures/_base.py", line 391, in __get_result
    raise self._exception
  File "/usr/lib64/python3.10/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/it-depends/it_depends/dependencies.py", line 826, in _process_dep
    return _DependencyResult(dep=dep, packages=list(dep.resolver.resolve(dep)), depth=depth)
  File "/it-depends/it_depends/npm.py", line 87, in resolve
    output = subprocess.check_output(
  File "/usr/lib64/python3.10/subprocess.py", line 420, in check_output
    return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
  File "/usr/lib64/python3.10/subprocess.py", line 501, in run
    with Popen(*popenargs, **kwargs) as process:
  File "/usr/lib64/python3.10/subprocess.py", line 969, in __init__
    self._execute_child(args, executable, preexec_fn, close_fds,
  File "/usr/lib64/python3.10/subprocess.py", line 1845, in _execute_child
    raise child_exception_type(errno_num, err_msg, err_filename)
FileNotFoundError: [Errno 2] No such file or directory: 'npm'

and then, with npm installed:

# it-depends npm:astro
resolving npm:astro@*: 0 dependencies [00:00, ? dependencies/s]npm notice 
npm notice New minor version of npm available! 8.3.1 -> 8.13.1
npm notice Changelog: https://github.com/npm/cli/releases/tag/v8.13.1
npm notice Run npm install -g npm@8.13.1 to update!
npm notice 
Version string lacks a numerical component: "l/generator': '^7.13.9',"

I haven't root caused this yet; the former might be a documentation or discovery problem on our end and the latter is possibly a breakage in npm's contract.

woodruffw commented 2 years ago

The latter looks like a dupe of #65.