Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

missing existing vulnerabilities in the dependency check report

See original GitHub issue

Project 1:

When scanning a directory <PROJECT_1> which includes a package.json with entry “log4js”: “^2.3.12” the scan finds the vulnerability of timespan and reports this: timespan:2.3.0` File Path: /home/jenkins-master/workspace/build-pipeline-ocscli.scan/package.json?timespan Referenced In Project/Scope:null: transitive Evidence Identifiers npm: timespan:2.3.0 Confidence:Highest

Everything OK (log4js uses timespan)

Project 2:

When scanning a directory <PROJECT_2> which includes a package.json without entry “log4js”, but with a directory node_modules/timespan the scan doesn’t find the vulnerability of timespan. That’s strange for me. In the scan log, I see that the node module timespan is found by the scan,

2018-07-19 15:57:49,238 org.owasp.dependencycheck.App:356 DEBUG - Found file /home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/.npmignore 2018-07-19 15:57:49,238 org.owasp.dependencycheck.App:356 DEBUG - Found file /home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/CHANGELOG.md 2018-07-19 15:57:49,238 org.owasp.dependencycheck.App:356 DEBUG - Found file /home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/LICENSE 2018-07-19 15:57:49,238 org.owasp.dependencycheck.App:356 DEBUG - Found file /home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/README.md 2018-07-19 15:57:49,238 org.owasp.dependencycheck.App:356 DEBUG - Found file /home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/browser/TimeSpan-1.2.js 2018-07-19 15:57:49,238 org.owasp.dependencycheck.App:356 DEBUG - Found file /home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/browser/TimeSpan-1.2.min.js 2018-07-19 15:57:49,238 org.owasp.dependencycheck.App:356 DEBUG - Found file /home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/docs/docco.css 2018-07-19 15:57:49,238 org.owasp.dependencycheck.App:356 DEBUG - Found file /home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/docs/time-span.html 2018-07-19 15:57:49,239 org.owasp.dependencycheck.App:356 DEBUG - Found file /home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/lib/time-span.js 2018-07-19 15:57:49,239 org.owasp.dependencycheck.App:356 DEBUG - Found file /home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/package.json 2018-07-19 15:57:49,239 org.owasp.dependencycheck.App:356 DEBUG - Found file /home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/test/date-parser-test.js 2018-07-19 15:57:49,239 org.owasp.dependencycheck.App:356 DEBUG - Found file /home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/test/helpers.js 2018-07-19 15:57:49,239 org.owasp.dependencycheck.App:356 DEBUG - Found file /home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/test/time-span-test.js

then there is an entry “Skipping analysis”

2018-07-19 15:57:49,952 org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer:97 DEBUG - Skipping analysis of node module: /home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/package.json

and more log entries regarding to timespan:

2018-07-19 15:57:51,696 org.owasp.dependencycheck.AnalysisTask:86 DEBUG - Begin Analysis of ‘/home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/package.json’ (File Name Analyzer) . . . 2018-07-19 15:57:54,301 org.owasp.dependencycheck.AnalysisTask:86 DEBUG - Begin Analysis of ‘/home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/package.json’ (Dependency Merging Analyzer) . . . 2018-07-19 15:57:54,333 org.owasp.dependencycheck.AnalysisTask:86 DEBUG - Begin Analysis of ‘/home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/package.json’ (Dependency Merging Analyzer) . . . 2018-07-19 15:57:54,378 org.owasp.dependencycheck.AnalysisTask:86 DEBUG - Begin Analysis of ‘/home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/package.json’ (Version Filter Analyzer) . . . 2018-07-19 15:57:54,408 org.owasp.dependencycheck.AnalysisTask:86 DEBUG - Begin Analysis of ‘/home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/package.json’ (Version Filter Analyzer) . . . 2018-07-19 15:57:54,631 org.owasp.dependencycheck.AnalysisTask:86 DEBUG - Begin Analysis of ‘/home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/package.json’ (Hint Analyzer) . . . 2018-07-19 15:57:54,667 org.owasp.dependencycheck.AnalysisTask:86 DEBUG - Begin Analysis of ‘/home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/package.json’ (Hint Analyzer) . . . 2018-07-19 15:57:57,050 org.owasp.dependencycheck.AnalysisTask:86 DEBUG - Begin Analysis of ‘/home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/package.json’ (CPE Analyzer) . . . 2018-07-19 15:57:57,096 org.owasp.dependencycheck.AnalysisTask:86 DEBUG - Begin Analysis of ‘/home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/package.json’ (CPE Analyzer) . . . 2018-07-19 15:57:57,152 org.owasp.dependencycheck.AnalysisTask:86 DEBUG - Begin Analysis of ‘/home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/package.json’ (False Positive Analyzer) . . . 2018-07-19 15:57:57,173 org.owasp.dependencycheck.AnalysisTask:86 DEBUG - Begin Analysis of ‘/home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/package.json’ (False Positive Analyzer) . . . 2018-07-19 15:57:57,209 org.owasp.dependencycheck.AnalysisTask:86 DEBUG - Begin Analysis of ‘/home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/package.json’ (NVD CVE Analyzer) . . . 2018-07-19 15:57:57,231 org.owasp.dependencycheck.AnalysisTask:86 DEBUG - Begin Analysis of ‘/home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/package.json’ (NVD CVE Analyzer) . . . and another entry “Skipping analysis”

2018-07-19 15:57:57,342 org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer:97 DEBUG - Skipping analysis of node module: /home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/package.json . . . 2018-07-19 15:57:57,342 org.owasp.dependencycheck.AnalysisTask:86 DEBUG - Begin Analysis of ‘/home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/package.json’ (Node Security Platform Analyzer) . . . and a third entry “Skipping analysis”

2018-07-19 15:57:57,342 org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer:97 DEBUG - Skipping analysis of node module: /home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/package.json . . . more “Skipping analysis”

2018-07-19 15:57:57,420 org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer:97 DEBUG - Skipping analysis of node module: /home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/package.json . . . 2018-07-19 15:57:57,420 org.owasp.dependencycheck.AnalysisTask:86 DEBUG - Begin Analysis of ‘/home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/package.json’ (Node Security Platform Analyzer) . . . “Skipping analysis” again

2018-07-19 15:57:57,420 org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer:97 DEBUG - Skipping analysis of node module: /home/jenkins-master/workspace/build-pipeline-ocscli.scan/node_modules/timespan/package.json . . .

And as said, in the dependency check report there is no vulnerability for timespan.

This also happens to other vulnerable node modules, like hoek, tunnel-agent, … They are not reported.

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Reactions:1
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
githubhs17commented, Jul 23, 2018

@kilodalton For npm audit you need npm@6. We have npm 5.6 on our prod system @jeremylong timespan is actually used. We have an own node module log4js-client (not an official node module) which uses the official node module log4js. And the official node module log4js is using timespan.

The npm tree of our service:

08:57:36 + npm ls
08:57:42 prod-delivery-render@0.0.6-hstest-SNAPSHOT.6 /jenkins-ws/prod-deli....UEFA/service
08:57:42 ├── @types/bluebird@3.5.20
...
08:57:42 ├─┬ log4js-client@4.1.4                        <-- our own node module
08:57:42 │ ├── bluebird@3.5.1 deduped
08:57:42 │ ├── dx-request-context@3.0.8 deduped
08:57:42 │ ├─┬ log4js@2.10.0
08:57:42 │ │ ├─┬ amqplib@0.5.2
...
08:57:42 │ │ ├─┬ loggly@1.1.1
08:57:42 │ │ │ ├── json-stringify-safe@5.0.1 deduped
08:57:42 │ │ │ ├─┬ request@2.75.0
...
08:57:42 │ │ │ └── timespan@2.3.0
0reactions
jeremylongcommented, Dec 5, 2019

This issue is believed to be resolved with 5.2.3. Please open a new issue if the problem persists.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Dependency-Check Report - GitHub Pages
Untrusted search path vulnerability in python.exe in Python through 3.5.0 on Windows allows local users to gain privileges via a Trojan horse readline.pyd...
Read more >
Code Dx Dependency Check Results Missing From Findings
Code Dx imports vulnerabilities from dependency-check results. Code Dx only imports findings/issues found by tools not general metadata about an application ...
Read more >
OWASP Dependency Check for Vulnerability Reporting
OWASP Dependency-Check provides a solution to get a basic dependency vulnerability analyzer in place for every development shop. Use the reports ...
Read more >
Not able to get dependency check report in Maven
I am trying to get dependency check report for one of my Maven project but every time I am running: mvn verify. dependency...
Read more >
Dependency Vulnerabilities Check - JHipster
To check if a Java dependency has a known Common Vulnerabilities and Exposures (aka. CVE), visit the NIST National Vulnerability Database which maintains...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

NullPointerException when writing report

Next page

Please consider using NVD for npm packages