You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
When using dependency check on a package.json and package-lock.json file with a depdency with a @-sign in its name like https://www.npmjs.com/package/@emotion/react
package.json
Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.
exception: org.owasp.dependencycheck.analyzer.exception.SearchException: Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.
I get a successful run if I remove all packages starting with @ or when I use an older node that generates a package-lock.json using version 1.
Version of dependency-check used
Using dependency-check-maven 7.1.0.
Package-lock.json is generated with node v18.0.0
Log file
Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.
exception: org.owasp.dependencycheck.analyzer.exception.SearchException: Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.
org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage(NodeAuditSearch.java:209)
org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage(NodeAuditSearch.java:133)
org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzePackage(NodeAuditAnalyzer.java:189)
org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzeDependency(NodeAuditAnalyzer.java:146)
org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
java.base/java.lang.Thread.run(Thread.java:829)
Describe the bug
When using dependency check on a package.json and package-lock.json file with a depdency with a @-sign in its name like https://www.npmjs.com/package/@emotion/react
package.json
Gives:
I get a successful run if I remove all packages starting with @ or when I use an older node that generates a package-lock.json using version 1.
Version of dependency-check used
Using dependency-check-maven 7.1.0.
Package-lock.json is generated with node v18.0.0
Log file
Full package.json: https://gist.github.com/profTwinglings/51d7dbff3abe771c8ece98659fdbf101
package-lock.json: https://gist.github.com/profTwinglings/fadc6d506b4984245dac0feae9a6ebbe
older package-lock.json with node v14: https://gist.github.com/profTwinglings/ff06bb025fcb7cfaedf6350f9f537ee8
To Reproduce
Run dependency check maven with a package.json that has a package with @ in its name:
Expected behavior
Successful scan
The text was updated successfully, but these errors were encountered: