Remove NpmAuditAnalysisTask - Create GitHubAdvisoryAnalysisTask
See original GitHub issueSee https://github.blog/2021-10-07-github-advisory-database-now-powers-npm-audit/
Current Behavior:
12:30:52.442 INFO [VulnerabilityAnalysisTask] (244 out of 245) Analyzing 2018 components in project: cf2aa72a-d64e-449e-9f53-10ff24ddd808
12:30:52.482 INFO [NpmAuditAnalysisTask] Starting Node Audit analysis task for 2018 components
12:30:57.730 INFO [NpmAuditAnalysisTask] Processing NPM advisories
12:30:57.735 ERROR [VulnerabilityAnalysisTask] An unexpected error occurred performing a vulnerability analysis task
java.lang.NullPointerException: null
at org.dependencytrack.persistence.VulnerabilityQueryManager.contains(VulnerabilityQueryManager.java:258)
at org.dependencytrack.persistence.QueryManager.contains(QueryManager.java:635)
at org.dependencytrack.util.NotificationUtil.analyzeNotificationCriteria(NotificationUtil.java:56)
at org.dependencytrack.tasks.scanners.NpmAuditAnalysisTask.processResults(NpmAuditAnalysisTask.java:205)
at org.dependencytrack.tasks.scanners.NpmAuditAnalysisTask.analyze(NpmAuditAnalysisTask.java:163)
at org.dependencytrack.tasks.scanners.NpmAuditAnalysisTask.inform(NpmAuditAnalysisTask.java:74)
at org.dependencytrack.tasks.VulnerabilityAnalysisTask.performAnalysis(VulnerabilityAnalysisTask.java:166)
at org.dependencytrack.tasks.VulnerabilityAnalysisTask.analyzeComponents(VulnerabilityAnalysisTask.java:126)
at org.dependencytrack.tasks.VulnerabilityAnalysisTask.inform(VulnerabilityAnalysisTask.java:88)
at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:99)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
Steps to Reproduce:
Upload NPM project with vulnerabilities to DTrack
Expected Behavior:
Should be working as normal
Environment:
- Dependency-Track Version: latest
- Distribution: Docker
- BOM Format & Version:
- Database Server: PostgreSQL
Additional Details:
Commit wit temp fix: https://github.com/StyleT/dependency-track/commit/205ab0a66d59fa0f8cb799de8923b7489468aaee
But generally - we need to remove NpmAdvisoryMirrorTask
(now it’s useless), and create GithubAdvisoryMirrorTask
which would work not only for NPM projects (see API here).
Issue Analytics
- State:
- Created 2 years ago
- Reactions:3
- Comments:14 (10 by maintainers)
Top Results From Across the Web
npm-audit
The audit command submits a description of the dependencies configured in your project to your default registry and asks for a report of...
Read more >NPM audit reports the package with high vulnerability (Denial ...
I am working in a group repo with branches and I am tying to install the dependencies for the client from create-react-app (where...
Read more >GitHub Advisory Database now powers npm audit
npm audit is a command that you can run in your Node.js application to scan your project's dependencies for known security vulnerabilities—you' ...
Read more >Npm Audit: broken by design? - Hacker News
So this change got pushed out, had an absolute mountain of bugs that took ages to fix (e.g. at one point adding a...
Read more >Secure your application - GitLab Docs
A source code analysis can: Analyze source code for vulnerabilities - Static Application Security Testing (SAST). Analyze the Git repository's history for ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Also debuting in v4.4 is finer control over mirroring of vulnerability sources, GitHub being one of them.
https://github.com/advisories does not provide any way to contact the team regarding the feed. I have a message posted in the GitHub Security Lab Slack workspace trying to get more information on how to report the issue so it can get resolved.