Bug: Server mode - Scanning a GitHub repo not working

[fkluthe]

Expected Behavior

Documented here: https://github.com/owasp-dep-scan/dep-scan?tab=readme-ov-file#server-mode

curl --json '{"url": "https://github.com/HooliCorp/vulnerable-aws-koa-app", "type": "js"}' http://0.0.0.0:7070/scan -i

should return 200 and report.

Actual Behavior

curl --json '{"url": "https://github.com/HooliCorp/vulnerable-aws-koa-app", "type": "js"}' http://0.0.0.0:7070/scan -i

returns

HTTP/1.1 500 
content-type: text/html; charset=utf-8
content-length: 265
date: Tue, 30 Jan 2024 12:23:39 GMT
server: hypercorn-h11

<!doctype html>
<html lang=en>
<title>500 Internal Server Error</title>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>

with error:

depscan-1  | [2024-01-30 12:21:57 +0000] [1] [INFO] 172.19.0.1:56362 GET /cache 1.1 - - 201375591
depscan-1  | ERROR [2024-01-30 12:23:39,365] Exception on request POST /scan
depscan-1  | Traceback (most recent call last):
depscan-1  |   File "/usr/local/lib/python3.11/site-packages/quart/app.py", line 1376, in handle_request
depscan-1  |     return await self.full_dispatch_request(request_context)
depscan-1  |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
depscan-1  |   File "/usr/local/lib/python3.11/site-packages/quart/app.py", line 1414, in full_dispatch_request
depscan-1  |     result = await self.handle_user_exception(error)
depscan-1  |              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
depscan-1  |   File "/usr/local/lib/python3.11/site-packages/quart/app.py", line 1007, in handle_user_exception
depscan-1  |     raise error
depscan-1  |   File "/usr/local/lib/python3.11/site-packages/quart/app.py", line 1412, in full_dispatch_request
depscan-1  |     result = await self.dispatch_request(request_context)
depscan-1  |              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
depscan-1  |   File "/usr/local/lib/python3.11/site-packages/quart/app.py", line 1506, in dispatch_request
depscan-1  |     return await self.ensure_async(handler)(**request_.view_args)
depscan-1  |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
depscan-1  |   File "/opt/dep-scan/depscan/cli.py", line 622, in run_scan
depscan-1  |     if os.path.isdir(path):
depscan-1  |        ^^^^^^^^^^^^^^^^^^^
depscan-1  |   File "<frozen genericpath>", line 42, in isdir
depscan-1  | TypeError: stat: path should be string, bytes, os.PathLike or integer, not NoneType
depscan-1  | [2024-01-30 12:23:39 +0000] [1] [INFO] 172.19.0.1:64790 POST /scan 1.1 500 265 31761779

Steps to Reproduce

Checkout: https://github.com/owasp-dep-scan/dep-scan/releases/tag/v5.2.4
Adjust:
https://github.com/owasp-dep-scan/dep-scan/blob/release/6.x/docker-compose.yml#L9-L10
https://github.com/owasp-dep-scan/dep-scan/blob/release/6.x/docker-compose.yml#L18-L19
Eg

 - /home/terkel/workspace/dockerapp_empty:/app
 - /home/terkel/workspace/dockertmp_empty:/tmp

Ramp up:
docker compose up

Execute as documented:
curl http://0.0.0.0:7070/cache
curl` --json '{"url": "https://github.com/HooliCorp/vulnerable-aws-koa-app", "type": "js"}' http://0.0.0.0:7070/scan -i

Additional Information

From docker https://github.com/owasp-dep-scan/dep-scan?tab=readme-ov-file#scanning-projects-locally-docker-container

docker run --rm -v $PWD:/app ghcr.io/owasp-dep-scan/dep-scan --purl https://github.com/HooliCorp/vulnerable-aws-koa-app --reports-dir /app/reports

Is also not working, but iam not sure if i use it correctly.

[prabhu]

Thanks @fkluthe. Invocation with url is only allowed in server mode when cdxgen is also running in server mode. I will try to improve the experience, but for now, manually clone the repo and invoke depscan with the path and --src argument.

Can you test the PR branch below, please?

#234