trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 3 weeks ago verified publisher icon aquasecurity

Trivy Node scan can't parse package.json when `latest` is used as a package version

Open DmitriyLewen opened this issue 1 year ago • 0 comments

Discussed in https://github.com/aquasecurity/trivy/discussions/6730

Originally posted by abrwn May 20, 2024

Description

When running a trivy scan on a node project, the following warning is shown when a latest version is used for a dependency:

Unable to parse "package.json" to remove dev dependencies: unable to walk dependencies: unable to match version for <package>

Example:

package.json

{
  "devDependencies": {
    "chromedriver": "latest",
    ...
  }
}

yarn.lock

chromedriver@latest:
  version "123.0.4"
  resolved "https://registry.yarnpkg.com/chromedriver/-/chromedriver-123.0.4.tgz#886886c79108b22b10f80925b67cecdc46d41988"
  integrity sha512-3Yi7y7q35kkSAOTbRisiww/SL2w+DqafDPAaUShpSuLMmPaOvHQR0i3bm2/33QBiQ8fUb1J/MzppzVL6IDqvhA==
  dependencies:
    "@testim/chrome-version" "^1.1.4"
    axios "^1.6.7"
    compare-versions "^6.1.0"
    extract-zip "^2.0.1"
    proxy-agent "^6.4.0"
    proxy-from-env "^1.1.0"
    tcp-port-used "^1.0.2"

Since latest is a valid version, should trivy be able to parse this?

Desired Behavior

Trivy scanner is able to parse latest version in package.json

Actual Behavior

Node scan can't parse package.json when latest is used as a package version, and therefore can't ignore dev dependencies.

Reproduction Steps

1. Include package with `latest` tag in package.json
2. Run `yarn` to create lock file
3. Run trivy node scanner on project, eg `trivy fs --scanners vuln --skip-dirs "node_modules" $1 --severity HIGH,CRITICAL --ignore-unfixed \
  --show-suppressed --exit-code 1`

Target

Filesystem

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

2024-05-20T14:55:49.257Z	INFO	Vulnerability scanning is enabled
2024-05-20T14:55:49.281Z	WARN	Unable to parse "package.json" to remove dev dependencies: unable to walk dependencies: unable to match version for chromedriver
2024-05-20T14:55:49.309Z	INFO	Number of language-specific files: 1
2024-05-20T14:55:49.309Z	INFO	Detecting yarn vulnerabilities...

Operating System

linux

Version

Installed using `curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.50.2`

Checklist

DmitriyLewen avatar May 22 '24 08:05 DmitriyLewen