DependencyCheck
DependencyCheck copied to clipboard
jeremylong
Unsupported CVSS vector format in NPM Audit: null
Describe the bug
Log says to raise feature request, but sounds like this is either an invalid warning or its not handling some odd data from npm correctly?
[WARNING] Unsupported CVSS vector format in NPM Audit results, please file a feature request at https://github.com/jeremylong/DependencyCheck/issues/new/choose to support vector format 'null'
Version of dependency-check used 8.4.0
To Reproduce Owasp scan of npm module
Expected behavior No Warning
I can't share something, but looking at your code https://github.com/jeremylong/DependencyCheck/blob/778185bce378591be6e0b4642d4d4ab5cbb10510/core/src/main/java/org/owasp/dependencycheck/data/nodeaudit/NpmAuditParser.java#L133 and the fact that the number of these log messages changes every run makes me think is a thread safety issue somehow, where the string isn't 'null' in the if check originally but by the time its logged its become null by some other means.
We have a maven project with multiple modules that are actually node projects, and we run the maven owasp plugin to do our scans.
As the scanner also hits the issue here https://github.com/jeremylong/DependencyCheck/issues/5809, the above may also be related.
I am also seeing this on a standard Node project. If I run it locally it only appears on the first pass, after downloading the NVD data, but not on subsequent runs. I am aiming to use it in the CI/CD pipeline by means of GitLab's Docker image for Dependency Check, but there the warning appears every time.
Locally I have jsonCvss = {"score":0, "vectorString":null} and therefore it looks like vector is the string "null" which I think explains the log message.
We are now seeing this too. I suspect it is caused by the upgrade of node and, more specifically npm, which changed the format of package-lock.json and/or npm audit output format. I'm seeing this with Dependency-Check Core version 9.1.0 and npm 8.10.0.
