sonar-scanner-npm icon indicating copy to clipboard operation
sonar-scanner-npm copied to clipboard

Published 20 hours ago verified publisher icon bellingard

Replace package 'download'

Open dvolpato opened this issue 2 years ago • 4 comments

This PR addresses issue https://github.com/bellingard/sonar-scanner-npm/issues/140. Package download has been inactive for the last couple years and has currently a moderate severity vulnerability because it depends on an older version of got.

The following changes replace download by node-download-helper plus `decompress'.

dvolpato avatar Aug 08 '22 21:08 dvolpato

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

sonarqubecloud[bot] avatar Sep 06 '22 13:09 sonarqubecloud[bot]

Any estimation for when this will be merged and released?

notrev avatar Sep 07 '22 08:09 notrev

@bellingard could you merge this and release a new version? Thanks!

drodil avatar Sep 15 '22 06:09 drodil

@gabssnake As discussed, I let you handle this. Thanks!

bellingard avatar Sep 16 '22 07:09 bellingard

🙏 It would be great if this fix could have been released soon 🙏

tokra avatar Sep 23 '22 13:09 tokra

@dvolpato can you look if everything is ok with code? @drodil left you some comments

dzienisz avatar Sep 23 '22 16:09 dzienisz

@dvolpato can you look if everything is ok with code? @drodil left you some comments

@dzienisz, those were fixed in https://github.com/bellingard/sonar-scanner-npm/pull/144/commits/46e57f4be5748a2e48052ff028a1980478c3b734

dvolpato avatar Sep 23 '22 18:09 dvolpato

As discussed with @bellingard we need more tests here. However this LGTM. I run some manual tests too. Please let me know if this has any unintended side effect that we missed.

Thank you @dvolpato 👍

gabssnake avatar Sep 25 '22 15:09 gabssnake

im having now this issue, same localy & travis:

Mac:

[11:18:42] Starting analysis...
[11:18:42] Checking if executable exists: /Users/tokra/.sonar/native-sonar-scanner/sonar-scanner-4.5.0.2216-macosx/bin/sonar-scanner
[11:18:42] Could not find executable in "/Users/tokra/.sonar/native-sonar-scanner".
[11:18:42] Proceed with download of the platform binaries for SonarScanner...
[11:18:42] Creating /Users/tokra/.sonar/native-sonar-scanner
[11:18:42] Downloading from https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.5.0.2216-macosx.zip
[11:18:42] (executable will be saved in cache folder: /Users/tokra/.sonar/native-sonar-scanner)
[====================] 100% 0.0s
/Users/tokra/Documents/Code/ghe/falcon/node_modules/decompress-tar/index.js:11
        if (Buffer.isBuffer(input) && (!fileType(input) || fileType(input).ext !== 'tar')) {
                                        ^

TypeError: fileType is not a function
    at /Users/tokra/Documents/Code/ghe/falcon/node_modules/decompress-tar/index.js:11:34
    at /Users/tokra/Documents/Code/ghe/falcon/node_modules/decompress/index.js:19:43
    at Array.map (<anonymous>)
    at runPlugins (/Users/tokra/Documents/Code/ghe/falcon/node_modules/decompress/index.js:19:34)
    at extractFile (/Users/tokra/Documents/Code/ghe/falcon/node_modules/decompress/index.js:54:46)
    at /Users/tokra/Documents/Code/ghe/falcon/node_modules/decompress/index.js:150:26

Travis:

[09:15:19] Starting analysis...
[09:15:19] Checking if executable exists: /home/travis/.sonar/native-sonar-scanner/sonar-scanner-4.5.0.2216-linux/bin/sonar-scanner
[09:15:19] Could not find executable in "/home/travis/.sonar/native-sonar-scanner".
[09:15:19] Proceed with download of the platform binaries for SonarScanner...
[09:15:19] Creating /home/travis/.sonar/native-sonar-scanner
[09:15:19] Downloading from https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.5.0.2216-linux.zip
[09:15:19] (executable will be saved in cache folder: /home/travis/.sonar/native-sonar-scanner)
/home/travis/build/web-platform/falcon/node_modules/decompress-tar/index.js:11
	if (Buffer.isBuffer(input) && (!fileType(input) || fileType(input).ext !== 'tar')) {
	                                ^
TypeError: fileType is not a function
    at /home/travis/build/web-platform/falcon/node_modules/decompress-tar/index.js:11:34
    at /home/travis/build/web-platform/falcon/node_modules/decompress/index.js:19:43
    at Array.map (<anonymous>)
    at runPlugins (/home/travis/build/web-platform/falcon/node_modules/decompress/index.js:19:34)
    at extractFile (/home/travis/build/web-platform/falcon/node_modules/decompress/index.js:54:46)
    at /home/travis/build/web-platform/falcon/node_modules/decompress/index.js:150:26
The command "npm run sonarqube:scanner" exited with 1.

tokra avatar Sep 26 '22 09:09 tokra

@dvolpato any input?

@tokra can you provide info on your environment? node version?

gabssnake avatar Sep 26 '22 10:09 gabssnake

First of all, file-type has a know vulnerability, which is fixed in 16.5.4 and >= 17.1.3 (see Snyk).

The used package decompress-tar is using a an old and vulnerable version of file-type! If you maybe override the version through your package.json to avoid the vulnerability, you will get this error. Because with version >=13 they changed the API of file-type. It's no longer a function, it's an object with several functions.

Btw, the same issue exists with sonarqube-scanner v2.8.1. Here the dependency download (v6.2.5) uses a vulnerable version of file-type.

@gabssnake @tokra

ras-martin avatar Sep 27 '22 10:09 ras-martin

@ras-martin i think it was because of that, i was overriding "file-type": "^16.5.4", yesterday i removed it and it looks to be resolved. thanks!

tokra avatar Sep 27 '22 12:09 tokra

This change seems to also have removed support for proxies-- I opened #152 regarding that.

asselin avatar Sep 29 '22 15:09 asselin