Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Remove NpmAuditAnalysisTask - Create GitHubAdvisoryAnalysisTask

See original GitHub issue

See https://github.blog/2021-10-07-github-advisory-database-now-powers-npm-audit/

Current Behavior:

12:30:52.442 INFO [VulnerabilityAnalysisTask] (244 out of 245) Analyzing 2018 components in project: cf2aa72a-d64e-449e-9f53-10ff24ddd808
12:30:52.482 INFO [NpmAuditAnalysisTask] Starting Node Audit analysis task for 2018 components
12:30:57.730 INFO [NpmAuditAnalysisTask] Processing NPM advisories
12:30:57.735 ERROR [VulnerabilityAnalysisTask] An unexpected error occurred performing a vulnerability analysis task
java.lang.NullPointerException: null
	at org.dependencytrack.persistence.VulnerabilityQueryManager.contains(VulnerabilityQueryManager.java:258)
	at org.dependencytrack.persistence.QueryManager.contains(QueryManager.java:635)
	at org.dependencytrack.util.NotificationUtil.analyzeNotificationCriteria(NotificationUtil.java:56)
	at org.dependencytrack.tasks.scanners.NpmAuditAnalysisTask.processResults(NpmAuditAnalysisTask.java:205)
	at org.dependencytrack.tasks.scanners.NpmAuditAnalysisTask.analyze(NpmAuditAnalysisTask.java:163)
	at org.dependencytrack.tasks.scanners.NpmAuditAnalysisTask.inform(NpmAuditAnalysisTask.java:74)
	at org.dependencytrack.tasks.VulnerabilityAnalysisTask.performAnalysis(VulnerabilityAnalysisTask.java:166)
	at org.dependencytrack.tasks.VulnerabilityAnalysisTask.analyzeComponents(VulnerabilityAnalysisTask.java:126)
	at org.dependencytrack.tasks.VulnerabilityAnalysisTask.inform(VulnerabilityAnalysisTask.java:88)
	at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:99)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.base/java.lang.Thread.run(Unknown Source)

Steps to Reproduce:

Upload NPM project with vulnerabilities to DTrack

Expected Behavior:

Should be working as normal

Environment:

  • Dependency-Track Version: latest
  • Distribution: Docker
  • BOM Format & Version:
  • Database Server: PostgreSQL

Additional Details:

Commit wit temp fix: https://github.com/StyleT/dependency-track/commit/205ab0a66d59fa0f8cb799de8923b7489468aaee

But generally - we need to remove NpmAdvisoryMirrorTask (now it’s useless), and create GithubAdvisoryMirrorTask which would work not only for NPM projects (see API here).

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Reactions:3
  • Comments:14 (10 by maintainers)

github_iconTop GitHub Comments

4reactions
stevespringettcommented, Jan 26, 2022

Also debuting in v4.4 is finer control over mirroring of vulnerability sources, GitHub being one of them.

Screen Shot 2022-01-26 at 4 54 41 PM
4reactions
stevespringettcommented, Oct 13, 2021

https://github.com/advisories does not provide any way to contact the team regarding the feed. I have a message posted in the GitHub Security Lab Slack workspace trying to get more information on how to report the issue so it can get resolved.

Read more comments on GitHub >

github_iconTop Results From Across the Web

npm-audit
The audit command submits a description of the dependencies configured in your project to your default registry and asks for a report of...
Read more >
NPM audit reports the package with high vulnerability (Denial ...
I am working in a group repo with branches and I am tying to install the dependencies for the client from create-react-app (where...
Read more >
GitHub Advisory Database now powers npm audit
npm audit is a command that you can run in your Node.js application to scan your project's dependencies for known security vulnerabilities—you' ...
Read more >
Npm Audit: broken by design? - Hacker News
So this change got pushed out, had an absolute mountain of bugs that took ages to fix (e.g. at one point adding a...
Read more >
Secure your application - GitLab Docs
A source code analysis can: Analyze source code for vulnerabilities - Static Application Security Testing (SAST). Analyze the Git repository's history for ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

improperly quoted identifiers in sql queries

Next page

JDOObjectNotFoundException: No such database row: Part 2