Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scanning with Yarn Package Manager #2842

Closed
IamAndyW opened this issue Sep 28, 2020 · 10 comments · Fixed by #3063
Closed

Scanning with Yarn Package Manager #2842

IamAndyW opened this issue Sep 28, 2020 · 10 comments · Fixed by #3063
Labels
question
Milestone
6.1.0

Comments

@IamAndyW
Copy link

Hi,

I'm new to ODC and would like understand the the correct command line parameters I should be using.

Version: Command Line / 6.0.2

The project is built using Yarn package manager. I read that ODC requires a package-lock.json file. The commands I'm running are:

npm install --package-lock-only --production
dependency-check.sh -s "[root folder]" --disableNodeJS --disableRetireJS --nodeAuditSkipDevDependencies

This only reports scanning 27 dependencies when the package.json has 52 dependencies. And the report doesn't make sense in respect to the vulnerable packages listed are not in the package.json

So, my question is, what commands should I be running in order to scan correctly?

Many thanks
@jeremylong
Copy link
Owner

Yarn is not a supported package manager. Those that are using Yarn have used https://github.com/imsnif/synp to generate a package-lock.json.

@IamAndyW
Copy link
Author

Thank you @jeremylong. I'll give that a try.

Do you think the ODC parameters I'm passing are correct once I have the package-lock.json?

@jeremylong
Copy link
Owner

Yes, I think they look okay for now. In the future retireJs should not be disabled though... but the updates have not been made yet so for node projects you likely want to disable it. You may need to specify -o (the output directory -o . works).

@IamAndyW
Copy link
Author

Thanks. I do appreciate your time. I think I must be missing something!!

Steps (locally for now):

  1. yarn
  2. synp --source-file .\yarn.lock
  3. scan...

If I run with -s "[root folder]" --disableNodeJS --disableRetireJS --nodeAuditSkipDevDependencies the scan is fast but the report doesn't look right.

[INFO] Analysis Started
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (0 seconds)
[INFO] Finished Central Analyzer (0 seconds)
[INFO] Finished Assembly Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (2 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[WARN] The Node Package Analyzer has been disabled; the resulting report will only contain the known vulnerable dependency - not a bill of materials for the node project.
[INFO] Finished Node Audit Analyzer (0 seconds)
[WARN] Unable to determine Package-URL identifiers for 22 dependencies
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (3 seconds)

If I run with -s "[root folder]" --disableNodeJS --nodeAuditSkipDevDependencies it takes around 20 minutes to complete the analysis (running locally), is this expected? This would add considerably time when integrated with our CI.

[INFO] Analysis Started
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (0 seconds)
[INFO] Finished Central Analyzer (0 seconds)
[INFO] Finished Assembly Analyzer (1 seconds)
[INFO] Finished Dependency Merging Analyzer (551 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (2 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[WARN] The Node Package Analyzer has been disabled; the resulting report will only contain the known vulnerable dependency - not a bill of materials for the node project.
[INFO] Finished Node Audit Analyzer (0 seconds)
00:11  INFO: Vulnerability found: jquery below 3.5.0
00:11  INFO: Vulnerability found: jquery below 3.5.0
00:14  INFO: Vulnerability found: react below 16.0.1
00:20  INFO: Vulnerability found: jquery below 3.4.0
00:20  INFO: Vulnerability found: jquery below 3.5.0
00:20  INFO: Vulnerability found: jquery below 3.5.0
00:29  INFO: Vulnerability found: react below 16.0.1
00:30  INFO: Vulnerability found: react below 16.0.1
[INFO] Finished RetireJS Analyzer (59 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (1 seconds)
[INFO] Finished Dependency Bundling Analyzer (577 seconds)
[INFO] Analysis Complete (1195 seconds)

@jeremylong
Copy link
Owner

The Retire.JS analyzer is really more intended to identify client side JS - such that might be included in a JEE project and is not recommended to be used with a Node project. Yes, RetireJS itself does have support for Node.js - but we are not yet using the data store. By including the RetireJS analyzer today you will end up adding every single JS file as a dependency - which isn't exactly what you want.

@IamAndyW
Copy link
Author

IamAndyW commented Oct 5, 2020
edited
Loading

Actually, this is a Javascript SPA project.

I've gone with -s "[root folder]" --disableNodeJS --nodeAuditSkipDevDependencies but it does take 15+m to complete a scan (which doesn't include downloading the updates).

So I'm still not sure if I have the correct command line parameters!

@sebastienroux
Copy link

@AndrewJWaite beware of synp, version before 1.9.4 have a bug, there's no "dev" flag in package-lock.json avec converting yarn.lock. it has been fixed in 1.9.4.

Also DependencyCheck is still bugged on --nodeAuditSkipDevDependencies, so it always analyse all dependencies.

It will be fixed in 6.0.3 coming soon.

So you will have to use synp 1.9.5+ and dep-check 6.0.3+

@IamAndyW
Copy link
Author

IamAndyW commented Oct 5, 2020

Thanks @sebastienroux

RE: SYNP, the fix is in 1.9.4 (latest version), correct?

beware of synp, version before 1.9.4 have a bug, there's no "dev" flag in package-lock.json avec converting yarn.lock. it has been fixed in 1.9.4.

So this:

So you will have to use synp 1.9.5+ and dep-check 6.0.3+

becomes this:

So you will have to use synp 1.9.4+ and dep-check 6.0.3+

Hopefully this will reduce the scan time!

@sebastienroux
Copy link

Yes sorry 1.9.4 is the latest version with the fix of missing dev flag.

Normally it will reduce the scan time, i'm waiting for 6.0.3 release to test this too ;)

@IamAndyW
Copy link
Author

IamAndyW commented Oct 6, 2020

Thanks @sebastienroux

I'll keep a lookout.

Would there be an additional parameter when invoking synp for this missing dev flag?

https://github.com/imsnif/synp

@ssthom ssthom mentioned this issue Jan 8, 2021
Merged
@jeremylong jeremylong added this to the 6.0.6 milestone Jan 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
6.1.0
Development

Successfully merging a pull request may close this issue.

feat: add Yarn Audit analyzer ssthom/DependencyCheck
3 participants
@jeremylong @sebastienroux @IamAndyW