Error at start

[artefactop]

Hi, I'm using https://github.com/AppThreat/dep-scan-action on some of my repos and it started to fail today with the following error:

  ___            _____ _                    _
 / _ \          |_   _| |                  | |
/ /_\ \_ __  _ __ | | | |__  _ __ ___  __ _| |_
|  _  | '_ \| '_ \| | | '_ \| '__/ _ \/ _` | __|
| | | | |_) | |_) | | | | | | | |  __/ (_| | |_
\_| |_/ .__/| .__/\_/ |_| |_|_|  \___|\__,_|\__|
      | |   | |
      |_|   |_|

INFO [2021-11-10 11:29:56,256] ================================================================================
╭──────────────────────── New Feature ────────────────────────╮
│ Depscan supports OSS Risk audit for this project.           │
│ To enable set the environment variable ENABLE_OSS_RISK=true │
╰─────────────────────────────────────────────────────────────╯
Traceback (most recent call last):
  File "/usr/local/bin/scan", line 33, in <module>
    sys.exit(load_entry_point('appthreat-depscan==2.0.5', 'console_scripts', 'scan')())
  File "/usr/local/lib/python3.8/site-packages/appthreat_depscan-2.0.5-py3.8.egg/depscan/cli.py", line 394, in main
    s.refresh()
  File "/usr/local/lib/python3.8/site-packages/appthreat_vulnerability_db-1.7.2-py3.8.egg/vdb/lib/nvd.py", line 106, in refresh
    return self.download_all()
  File "/usr/local/lib/python3.8/site-packages/appthreat_vulnerability_db-1.7.2-py3.8.egg/vdb/lib/gha.py", line 104, in download_all
    data, page_info = self.fetch(type=lastId)
  File "/usr/local/lib/python3.8/site-packages/appthreat_vulnerability_db-1.7.2-py3.8.egg/vdb/lib/gha.py", line 131, in fetch
    return self.convert(json_data)
  File "/usr/local/lib/python3.8/site-packages/appthreat_vulnerability_db-1.7.2-py3.8.egg/vdb/lib/gha.py", line 189, in convert
    if cve.get("withdrawnAt"):
AttributeError: 'NoneType' object has no attribute 'get'

This is the command launched:

/usr/bin/docker run --name quayioappthreatdepscanlatest_7e77b1 --label e28490 --workdir /github/workspace --rm -e VDB_HOME -e GITHUB_TOKEN -e INPUT_SRC -e INPUT_REPORT_FILE -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RETENTION_DAYS -e GITHUB_RUN_ATTEMPT -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_REF_NAME -e GITHUB_REF_PROTECTED -e GITHUB_REF_TYPE -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e GITHUB_ACTION_REPOSITORY -e GITHUB_ACTION_REF -e GITHUB_PATH -e GITHUB_ENV -e RUNNER_OS -e RUNNER_ARCH -e RUNNER_NAME -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/genesis/genesis":"/github/workspace" quay.io/appthreat/dep-scan:latest  "scan" "--src" "/github/workspace/main/" "--report_file" "/github/workspace/reports/depscan.json"

Any clue of what is happening?

[prabhu]

Hi @artefactop

I didn't realize the appthreat container image is being used via quay mirror. I've restarted the build since I noticed that it had failed to build with the latest version of depscan which is 2.0.7

If this doesn't fix, could you consider switching to https://github.com/ShiftLeftSecurity/scan-action . It accepts -t depscan which would invoke depscan.