Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The vulnerability scan of package-lock.json fails due to a parsing issue #4060

Closed
eyalatox opened this issue Apr 13, 2023 · 2 comments
Closed

The vulnerability scan of package-lock.json fails due to a parsing issue #4060

eyalatox opened this issue Apr 13, 2023 · 2 comments
Assignees
@DmitriyLewen
Labels
scan/vulnerability Issues relating to vulnerability scanning triage/support Indicates an issue that is a support question.

Comments

@eyalatox
Copy link

Description

The vulnerability scan of package-lock.json fails due to a parsing issue

What did you expect to happen?

The vulnerability scan to work on a valid package-lock.json :)

What happened instead?

It failed :(

Output of run with -debug:

trivy fs --debug --format json --scanners vuln -o vul.json .
2023-04-13T19:17:52.261+0300    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-04-13T19:17:52.301+0300    DEBUG   cache dir:  /Users/eyal/Library/Caches/trivy
2023-04-13T19:17:52.302+0300    DEBUG   DB update was skipped because the local DB is the latest
2023-04-13T19:17:52.302+0300    DEBUG   DB Schema: 2, UpdatedAt: 2023-04-13 12:07:57.729501517 +0000 UTC, NextUpdate: 2023-04-13 18:07:57.729501217 +0000 UTC, DownloadedAt: 2023-04-13 14:23:21.49741 +0000 UTC
2023-04-13T19:17:52.302+0300    INFO    Vulnerability scanning is enabled
2023-04-13T19:17:52.302+0300    DEBUG   Vulnerability type:  [os library]
2023-04-13T19:17:52.303+0300    DEBUG   Walk the file tree rooted at '.' in parallel
2023-04-13T19:17:52.304+0300    INFO    To collect the license information of packages in "package-lock.json", "npm install" needs to be performed beforehand
2023-04-13T19:17:52.327+0300    FATAL   filesystem scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:431
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:266
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:679
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        github.com/aquasecurity/trivy/pkg/scanner/scan.go:146
  - post analysis error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect
        github.com/aquasecurity/trivy/pkg/fanal/artifact/local/fs.go:164
  - post analysis error:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze
        github.com/aquasecurity/trivy/pkg/fanal/analyzer/analyzer.go:487
  - package-lock.json/package.json walk error:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/npm.npmLibraryAnalyzer.PostAnalyze
        github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/npm/npm.go:78
  - parse error:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/npm.npmLibraryAnalyzer.PostAnalyze.func2
        github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/npm/npm.go:62
  - failed to parse package-lock.json:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer/language.Parse
        github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/analyze.go:50
  - decode error:
    github.com/aquasecurity/go-dep-parser/pkg/nodejs/npm.(*Parser).Parse
        github.com/aquasecurity/go-dep-parser@v0.0.0-20230324043952-2172dc218241/pkg/nodejs/npm/parse.go:61
  - cannot decode boolean value to string target

Output of trivy -v:

Version: 0.39.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-04-13 12:07:57.729501517 +0000 UTC
  NextUpdate: 2023-04-13 18:07:57.729501217 +0000 UTC
  DownloadedAt: 2023-04-13 14:23:21.49741 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-03-23 00:58:35.489368696 +0000 UTC
  NextUpdate: 2023-03-26 00:58:35.489368296 +0000 UTC
  DownloadedAt: 2023-03-23 13:22:10.311692 +0000 UTC
Policy Bundle:
  Digest: sha256:3c0b6f0906d568e3285707f6a7dcad25ce755c7e5d790765bf143a5dd24ee42b
  DownloadedAt: 2023-02-26 13:07:46.85312 +0000 UTC

Additional details (base image name, container registry info...):

you can recreate the issue on the following opensource repo https://github.com/OWASP/NodeGoat/tree/v1.4
Notice the tag v1.4 since it's not happening on the default branch.
@eyalatox eyalatox added the kind/bug Categorizes issue or PR as related to a bug. label Apr 13, 2023
@DmitriyLewen DmitriyLewen added triage/support Indicates an issue that is a support question. scan/vulnerability Issues relating to vulnerability scanning and removed kind/bug Categorizes issue or PR as related to a bug. labels Apr 14, 2023
@DmitriyLewen
Copy link
Contributor

Hello @eyalatox
Thanks for your report!

I checked this package-lock.json file and found "resolved": false, lines.
It is bug of npm. But npm team focused on new npm version. - npm/cli#1138 (comment).

I changed lockfile version to v2 and that fixed problem.
You can also use this script.

I close this issue, because it is not problem in Trivy. Feel free to reopen this issue, if you still have problems.

Regards, Dmitriy

@eyalatox
Copy link
Author

@DmitriyLewen thank you for the WA

Eyal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
scan/vulnerability Issues relating to vulnerability scanning triage/support Indicates an issue that is a support question.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DmitriyLewen @eyalatox