dep-scan icon indicating copy to clipboard operation
dep-scan copied to clipboard

Published 20 hours ago verified publisher icon owasp-dep-scan

Bug: Reachability scan fails

Open sjpritchard opened this issue 10 months ago • 3 comments

Expected Behavior

Report with reachability information is produced

Actual Behavior

depscan ends with error:

DEBUG [2024-04-23 06:29:51,230] BOM Profile: research DEBUG [2024-04-23 06:29:51,231] ⚡︎ Executing "cdxgen -r -t java -o VulnerableApp-1.12.0.jar/bom.json --profile research VulnerableApp-1.12.0.jar" DEBUG [2024-04-23 06:30:12,861] About to identify class names for all jars in the path /tmp/war-deps-WKbOt3 /tmp/war-deps-WKbOt3 did not contain any jars. Maven search appears to be unavailable. Search will be skipped for all remaining packages. Cleaning up /tmp/war-deps-WKbOt3 node:fs:2342 return binding.writeFileUtf8( ^

Error: ENOTDIR: not a directory, open 'VulnerableApp-1.12.0.jar/bom.json' at Object.writeFileSync (node:fs:2342:20) at file:///home/steve/.nvm/versions/node/v20.12.2/lib/node_modules/@cyclonedx/cdxgen/bin/cdxgen.js:469:12 { errno: -20, code: 'ENOTDIR', syscall: 'open', path: 'VulnerableApp-1.12.0.jar/bom.json' }

Node.js v20.12.2

DEBUG [2024-04-23 06:30:12,861] Bom file VulnerableApp-1.12.0.jar/bom.json was not created successfully

Steps to Reproduce

depscan --profile research -t java -i VulnerableApp-1.12.0.jar --debug

Additional Information

  • depscan 5.3.3
  • cdxgen 10.4.2
  • Running on WSL2 with Ubuntu 20.04

sjpritchard avatar Apr 22 '24 20:04 sjpritchard

I tried running it by referring to the folder and not the .jar file, with the following result:

depscan --profile research -t java -i test --debug

DEBUG [2024-04-23 06:40:10,648] BOM Profile: research DEBUG [2024-04-23 06:40:10,648] ⚡︎ Executing "cdxgen -r -t java -o test/bom.json --profile research test" DEBUG [2024-04-23 06:40:11,530] Bom file doesn't exist. Check if cdxgen was invoked with the correct type argument. Set the environment variable CDXGEN_DEBUG_MODE to debug to troubleshoot the issue further.

DEBUG [2024-04-23 06:40:11,531] Bom file test/bom.json was not created successfully

sjpritchard avatar Apr 22 '24 20:04 sjpritchard

I realised that I should have been scanning the source, however I still get the following error:

depscan --profile research -t java -i ./VulnerableApp/src --debug

DEBUG [2024-04-23 07:00:36,166] BOM Profile: research DEBUG [2024-04-23 07:00:36,166] ⚡︎ Executing "cdxgen -r -t java -o ./VulnerableApp/src/bom.json --profile research ./VulnerableApp/src" DEBUG [2024-04-23 07:00:37,046] Bom file doesn't exist. Check if cdxgen was invoked with the correct type argument. Set the environment variable CDXGEN_DEBUG_MODE to debug to troubleshoot the issue further.

DEBUG [2024-04-23 07:00:37,046] Bom file ./VulnerableApp/src/bom.json was not created successfully

sjpritchard avatar Apr 22 '24 21:04 sjpritchard

@sjpritchard Is there a public repo for the app you are scanning? The -i or --src argument must point to the directory containing the source. Often this would be the root directory containing pom.xml or package-lock.json etc.

If you are already inside inside the application directory, you can pass dot as the directory name. -i .

prabhu avatar Apr 23 '24 08:04 prabhu