Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

@ sign in npm package-names leads to an exception #4536

Closed
profTwinglings opened this issue May 25, 2022 · 1 comment
Closed

@ sign in npm package-names leads to an exception #4536

profTwinglings opened this issue May 25, 2022 · 1 comment
Labels
bug

Comments

@profTwinglings
Copy link

Describe the bug
When using dependency check on a package.json and package-lock.json file with a depdency with a @-sign in its name like https://www.npmjs.com/package/@emotion/react
package.json

{
  "name": "test",
  "dependencies": {

    "@types/jest": "^27.4.1",
    "axios": "^0.26.0",
......

Gives:

Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.
exception: org.owasp.dependencycheck.analyzer.exception.SearchException: Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.

I get a successful run if I remove all packages starting with @ or when I use an older node that generates a package-lock.json using version 1.

Version of dependency-check used
Using dependency-check-maven 7.1.0.
Package-lock.json is generated with node v18.0.0

Log file

Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.
exception: org.owasp.dependencycheck.analyzer.exception.SearchException: Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.

org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage(NodeAuditSearch.java:209)
org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch.submitPackage(NodeAuditSearch.java:133)
org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzePackage(NodeAuditAnalyzer.java:189)
org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzeDependency(NodeAuditAnalyzer.java:146)
org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
java.base/java.lang.Thread.run(Thread.java:829)

Full package.json: https://gist.github.com/profTwinglings/51d7dbff3abe771c8ece98659fdbf101
package-lock.json: https://gist.github.com/profTwinglings/fadc6d506b4984245dac0feae9a6ebbe
older package-lock.json with node v14: https://gist.github.com/profTwinglings/ff06bb025fcb7cfaedf6350f9f537ee8
To Reproduce
Run dependency check maven with a package.json that has a package with @ in its name:

 <plugin>
                    <groupId>org.owasp</groupId>
                    <artifactId>dependency-check-maven</artifactId>
                    <version>7.1.0</version>
                    <configuration>
                        <scanSet>
                            <fileSet>
                                <directory>foo</directory>
                                <includes>
                                    <include>package.json</include>
                                    <include>package-lock.json</include>
                                </includes>
                            </fileSet>

Expected behavior
Successful scan
This was referenced Jun 20, 2022
Open
Open
@nhumblot
Copy link
Collaborator

nhumblot commented Aug 9, 2022

Closing as duplicate of #4412

@nhumblot nhumblot closed this as completed Aug 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nhumblot @profTwinglings