Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support yarn berry in Analyzer #4894

Open
Purii opened this issue Sep 30, 2022 · 3 comments
Open

Support yarn berry in Analyzer #4894

Purii opened this issue Sep 30, 2022 · 3 comments

Comments

@Purii
Copy link

Purii commented Sep 30, 2022

Is your feature request related to a problem? Please describe.
Using yarn berry with workspaces doesn't work right now. Would be great to also support this updated version of yarn.

Tried with the latest CLI version: ./dependency-check.sh --out . --scan ...
Repository to reproduce: https://github.com/Purii/yarn-monorepo-example
Result:

[INFO] Analysis Started
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[WARN] No lock file exists - this will result in false negatives; please run `npm install --package-lock`
[WARN] Analyzing `/Users/../yarn-monorepo-example/packages/package-b/package.json` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-check
[WARN] No lock file exists - this will result in false negatives; please run `npm install --package-lock`
[WARN] Analyzing `/Users/../yarn-monorepo-example/packages/package-a/package.json` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-check
[INFO] Finished Node.js Package Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (0 seconds)
[INFO] Finished CPE Analyzer (0 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[WARN] An unexpected error occurred during analysis of '/Users/../yarn-monorepo-example/yarn.lock' (Yarn Audit Analyzer): No value present
[ERROR] 
java.util.NoSuchElementException: No value present
	at java.base/java.util.Optional.get(Optional.java:143)
	at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.fetchYarnAuditJson(YarnAuditAnalyzer.java:241)
	at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzePackage(YarnAuditAnalyzer.java:281)
	at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzeDependency(YarnAuditAnalyzer.java:106)
	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:833)
[INFO] Finished Yarn Audit Analyzer (0 seconds)
[INFO] Finished RetireJS Analyzer (4 seconds)
[WARN] Unable to determine Package-URL identifiers for 5286 dependencies
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (1 seconds)
[INFO] Analysis Complete (8 seconds)
[INFO] Writing report to: /Users/../dependency-check/bin/./dependency-check-report.html
[ERROR] No value present

Describe the solution you'd like
There's already a comment in another thread: #4215 (comment)
These commands are not valid for latest versions of yarn anymore:

Since yarn berry is very different to yarn classic, I suggest to treat it as a separate dependency manager instead of extending the existing yarn implementation.

@sladg
Copy link

sladg commented Dec 12, 2022

Same issue here, running [email protected]. Dependency check gives me error when I try to analyze lock file.
Running yarn npm audit --json --recursive works fine, but does not take into consideration workspace dependencies, shows result just for root package.json.

@JustMehmet
Copy link

JustMehmet commented Feb 6, 2023

There is a task similar to this, #4215, but there is no solution implemented yet.

It looks like, to resolve this we need to wait for a solution for the gradle plugin org.owasp.dependencycheck and till we have a solution we need to add the following setting to our build.gradle configuration :

dependencyCheck {
analyzers.nodeAudit.yarnEnabled = false
}

WARNING: This will disable yarn dependency check and if you are using yarn not for tests such as functional tests etc. your code may have vulnerabilities.

There are some other dependency check plugins but they are not as good as this one.

@JayPe69
Copy link

JayPe69 commented Oct 20, 2023

Hello,

Any news on this ?
Is there any workaround to make it work ?
Like lauching the audit before , and tells ODC to just check the result, not try to launch the audit by itself ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants