DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

Dependency check does not scan the package-lock.json for Typescript projects even if it says it does when the node_modules haven't been installed.

Open H4Xx0R-PC opened this issue 1 year ago • 9 comments

Describe the bug I run dependency check with sh dependency-check.sh --scan "/home/haxxor/dep-test/package-lock.json"

When I look at what gets printed in my terminal I see this

[WARN] Analyzing /home/haxxor/dep-test/package-lock.json - however, the node_modules directory does not exist. Please run npm install prior to running dependency-check

When I then look at my report I find that it has scanned 0 dependencies.

Now when I install all my node_modules and run the exact same command I find that it scans 1399 dependencies of which 419 are unique.

Version of dependency-check used CLI 9.0.9

To Reproduce Steps to reproduce the behavior:

  1. Clone a Typescript project
  2. Run the tool and specify the package-lock.json
  3. Install the node_modules and run the tool again specifying the package-lock.json again
  4. Compare both outputs

Expected behavior Dependency check should scan dependencies even if the node_modules aren't installed.

H4Xx0R-PC avatar Feb 01 '24 14:02 H4Xx0R-PC

We faced the same problem. I thought that it was enough for DC to see package.json and package-lock.json as described in the documentation, but it turns out that it needs node_modules. But nobody commits node_modules to the repository, for this they came up with package-lock.json

almaz045 avatar Mar 22 '24 06:03 almaz045

Sorry for the delayed response - there are two nodejs analyzers. One should be disabled as it either needs to be thrown out or completely re-written. The warning message is from that analyzer. You can simply run:

sh dependency-check.sh --disableNodeJS --scan "/home/haxxor/dep-test/package-lock.json"

Yes - the option say nodeJS, but it is disabling the node package analyzer. The node audit analyzer will still run. Note that the node audit analyzer is equivalent to just running node audit.

jeremylong avatar Mar 23 '24 11:03 jeremylong

@jeremylong How should these settings be configured in maven plugin correctly so it works with only providing package-lock.json? I would want that node packages are scanned too.

Siinke avatar Apr 09 '24 12:04 Siinke

You can simply run:

sh dependency-check.sh --disableNodeJS --scan "/home/haxxor/dep-test/package-lock.json"

Unfortunately, while the warning is gone, 0 dependencies are detected. I attached a sample project in ZIP: dep-check-js-test.zip

My local environment: MacOS 14.3.1, dependency-check v9.1.0 installed via brew. NodeJS version 16.9, npm version 7.21.1... CI environment: gitlab-runner 16.11.0 (linux), dependency-check 9.1.0, no NodeJS - we want to avoid running npm install at this step.

We really love the dependency-check cli otherwise :) Helps us a lot with dotnet Nugets.

mik-the-deutsch-dev avatar Apr 25 '24 09:04 mik-the-deutsch-dev

I also noticed that "Node Audit Analyzer" doesn't work with certain package-lock.json files. There's no error, but the report shows "Dependencies Scanned: 0".

Whenever it happens, I can see the following log message:

DEBUG - Empty dependency of package-lock v2+ removed

@jeremylong I guess this check in NodePackageAnalyzer removes ALL dependencies from the file and therefore doesn't analyze anything:

if ("".equals(name))

ffluegel avatar May 11 '24 06:05 ffluegel

Until someone can provide a package.json and package-lock.json that demonstrate the behavior we'll never know.

jeremylong avatar May 11 '24 11:05 jeremylong

You can use this repo to test it: https://github.com/lerna/lerna/tree/main

npm audit says:

# npm audit report

ejs  <3.1.10
Severity: moderate
ejs lacks certain pollution protection - https://github.com/advisories/GHSA-ghr5-ch3p-vcr6
fix available via `npm audit fix`
node_modules/ejs

express  <4.19.2
Severity: moderate
Express.js Open Redirect in malformed URLs - https://github.com/advisories/GHSA-rv95-896h-c2vc
fix available via `npm audit fix`
node_modules/express
  @verdaccio/middleware  *
  Depends on vulnerable versions of express
  node_modules/@verdaccio/middleware
    verdaccio  2.2.7-r - 2.7.2 || >=3.0.0-alpha.1
    Depends on vulnerable versions of @verdaccio/middleware
    Depends on vulnerable versions of express
    Depends on vulnerable versions of verdaccio-audit
    node_modules/verdaccio
  verdaccio-audit  >=0.0.2
  Depends on vulnerable versions of express
  node_modules/verdaccio-audit

5 moderate severity vulnerabilities

But dependency-check says:

Dependencies Scanned: 0 (0 unique)
Vulnerable Dependencies: 0
Vulnerabilities Found: 0
Vulnerabilities Suppressed: 0

However, when I delete the package-lock.json and recreate it via npm i --lockfile-version 2 --package-lock-only, dependency-check says:

Dependencies Scanned: 1 (1 unique)
Vulnerable Dependencies: 1
Vulnerabilities Found: 2

Which is in line with npm audit:

# npm audit report

express  <4.19.2
Severity: moderate
Express.js Open Redirect in malformed URLs - https://github.com/advisories/GHSA-rv95-896h-c2vc
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@verdaccio/middleware/node_modules/express
node_modules/verdaccio-audit/node_modules/express
  @verdaccio/middleware  *
  Depends on vulnerable versions of express
  node_modules/@verdaccio/middleware
    verdaccio  >=3.0.0-alpha.1
    Depends on vulnerable versions of @verdaccio/middleware
    Depends on vulnerable versions of verdaccio-audit
    node_modules/verdaccio
  verdaccio-audit  >=0.0.2
  Depends on vulnerable versions of express
  node_modules/verdaccio-audit

4 moderate severity vulnerabilities

ffluegel avatar May 11 '24 12:05 ffluegel

Looks like dependency-check does not yet support workspaces:

  "packages": {
    "": {
      "name": "lerna-monorepo",
      "license": "MIT",
      "workspaces": [
        "packages/*",
        "packages/legacy-structure/commands/create"
      ],

In the meantime, you can explicitly scan the workspaces:

dependency-check.sh --scan package-lock.json --scan packages/legacy-structure/commands/create/ --scan packages

We accept PRs...

jeremylong avatar May 11 '24 12:05 jeremylong

It turns out that it's not an issue with dependency-check and related to lockfileVersion 3 and the "legacy" Quick Audit Endpoint. This old endpoint (used by dependency-check) doesn't work with many new lock files. The only workaround I know so far is re-creating the lock file with --lockfile-version 2.

I guess we need a feature request to use the Bulk Advisory Endpoint, like npm audit does since version 7.

ffluegel avatar May 21 '24 07:05 ffluegel

I did some debugging of this problem. It seems, that when using a V3 package-lock, then npm-api don't respond correct. This "dependencies" block seems to be ignored, after changing to "requires" like in V2 it seems to be working. I added a pull-request, thats one possiblity or also possible to fix in buildDependencies function. But i think this is more easy to understand.

spielerf avatar May 27 '24 13:05 spielerf

thanks for the PR!

jeremylong avatar May 28 '24 10:05 jeremylong

@jeremylong is there any chance, please, you could cut a new release including this recent change?

[Update: I think there are a few tickets likely linked to this same issue.]

Many thanks.

oliverlockwood avatar Jun 05 '24 17:06 oliverlockwood