Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support yarn berry in Analyzer #4894

Open
Purii opened this issue Sep 30, 2022 · 8 comments
Open

Support yarn berry in Analyzer #4894

Purii opened this issue Sep 30, 2022 · 8 comments
Labels
enhancement

Comments

@Purii
Copy link

Purii commented Sep 30, 2022

Is your feature request related to a problem? Please describe.
Using yarn berry with workspaces doesn't work right now. Would be great to also support this updated version of yarn.

Tried with the latest CLI version: ./dependency-check.sh --out . --scan ...
Repository to reproduce: https://github.com/Purii/yarn-monorepo-example
Result:

[INFO] Analysis Started
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[WARN] No lock file exists - this will result in false negatives; please run `npm install --package-lock`
[WARN] Analyzing `/Users/../yarn-monorepo-example/packages/package-b/package.json` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-check
[WARN] No lock file exists - this will result in false negatives; please run `npm install --package-lock`
[WARN] Analyzing `/Users/../yarn-monorepo-example/packages/package-a/package.json` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-check
[INFO] Finished Node.js Package Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (0 seconds)
[INFO] Finished CPE Analyzer (0 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[WARN] An unexpected error occurred during analysis of '/Users/../yarn-monorepo-example/yarn.lock' (Yarn Audit Analyzer): No value present
[ERROR] 
java.util.NoSuchElementException: No value present
	at java.base/java.util.Optional.get(Optional.java:143)
	at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.fetchYarnAuditJson(YarnAuditAnalyzer.java:241)
	at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzePackage(YarnAuditAnalyzer.java:281)
	at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzeDependency(YarnAuditAnalyzer.java:106)
	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:833)
[INFO] Finished Yarn Audit Analyzer (0 seconds)
[INFO] Finished RetireJS Analyzer (4 seconds)
[WARN] Unable to determine Package-URL identifiers for 5286 dependencies
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (1 seconds)
[INFO] Analysis Complete (8 seconds)
[INFO] Writing report to: /Users/../dependency-check/bin/./dependency-check-report.html
[ERROR] No value present

Describe the solution you'd like
There's already a comment in another thread: #4215 (comment)
These commands are not valid for latest versions of yarn anymore:

DependencyCheck/core/src/main/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzer.java

Line 214 in aa73c25

args.add("--offline");

Since yarn berry is very different to yarn classic, I suggest to treat it as a separate dependency manager instead of extending the existing yarn implementation.
@sladg
Copy link

sladg commented Dec 12, 2022

Same issue here, running [email protected]. Dependency check gives me error when I try to analyze lock file.
Running yarn npm audit --json --recursive works fine, but does not take into consideration workspace dependencies, shows result just for root package.json.

@JustMehmet
Copy link

JustMehmet commented Feb 6, 2023
edited
Loading

There is a task similar to this, #4215, but there is no solution implemented yet.

It looks like, to resolve this we need to wait for a solution for the gradle plugin org.owasp.dependencycheck and till we have a solution we need to add the following setting to our build.gradle configuration :

dependencyCheck {
analyzers.nodeAudit.yarnEnabled = false
}

WARNING: This will disable yarn dependency check and if you are using yarn not for tests such as functional tests etc. your code may have vulnerabilities.

There are some other dependency check plugins but they are not as good as this one.

@JayPe69
Copy link

JayPe69 commented Oct 20, 2023

Hello,

Any news on this ?
Is there any workaround to make it work ?
Like lauching the audit before , and tells ODC to just check the result, not try to launch the audit by itself ?

@chadlwilson chadlwilson mentioned this issue Dec 6, 2023
Open
This was referenced Jul 11, 2024
Closed
Open
@Fgerthoffert Fgerthoffert mentioned this issue Sep 24, 2024
Merged
@segti8m
Copy link

segti8m commented Jan 13, 2025

Hi,

Yarn Berry seems to not yet be supported 2025.
@jeremylong are there any plans to support it in the near future?

@jeremylong
Copy link
Owner

It isn't high on our list of priorities because the results won't be different then just running yarn audit.

@segti8m
Copy link

segti8m commented Jan 15, 2025

Thanks for the response. Did I understand correctly that you are suggesting to not use DependencyCheck if we use an updated version of yarn?

Yarn v1 Classic states that it is in maintenance mode in January 2020 and suggests users to migrate to Yarn berry.
The yarn audit command only works with Yarn Classic. While Yarn Berry has a similar command (yarn npm audit), it has a substantially different output and is not compatible with DependencyCheck.

@chadlwilson
Copy link
Contributor

I think what he's suggesting is that ODC doesn't add much value with either yarn v1 or yarn v2+ because all it does is aggregate the issues reported via yarn into its own report, and allow for some sort of suppression tracking - but it doesn't discover anything new itself.

It can be useful to some folks to consolidate via ODC's reporting when working in a multi-language project or to aggregate with retirejs, but that is not as valuable as other ODC capabilities which need love/energy (unless someone puts a whole lot of energy into a PR). Given this has been the state for nearly 3 years now, I suspect it's not of huge value to anyone?

I briefly looked at what was going to be required to implement this, but after seeing the delta between how ODC works with yarn v1 and what would be needed for later yarns to work with yarn npm audit --json figured it wasn't really worth the effort for my use case either :-/

@segovia
Copy link

segovia commented Jan 15, 2025
edited
Loading

I have created a separate Analyzer for Yarn Berry and it seems to work fine. This is a first draft and I would be happy to implement tests and make any other modifications if there is interest to merge this to main.

The PR: #7319

@segovia segovia mentioned this issue Jan 15, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@segovia @jeremylong @Purii @sladg @chadlwilson @JayPe69 @JustMehmet @segti8m