Disabling nodeJS check doesn't seem to work
637 views
Skip to first unread message
Jim Sellers
Aug 2, 2017, 4:43:33 PM8/2/17
to Dependency Check
Hi all.
I'm having an issue with using version 2.1.0 and was wondering if anyone else is having it.
The maven command run by the CI server is this:
mvn --batch-mode clean org.jacoco:jacoco-maven-plugin:prepare-agent install -Dmaven.test.failure.ignore=true org.owasp:dependency-check-maven:2.1.0:check org.owasp:dependency-check-maven:2.1.0:aggregate -Dformat=ALL -DskipProvidedScope=true -DautoUpdate=false -Dmaven.javadoc.failOnError=false -DnuspecAnalyzerEnabled=false -DassemblyAnalyzerEnabled=false -DnodeAnalyzerEnabled=false
The project has the following dependency:
<dependency>
<groupId>org.webjars.npm</groupId>
<artifactId>validate.js</artifactId>
<version>0.8.0</version>
</dependency>
And we get a error message like this:
build 26-Jul-2017 14:21:41 [WARNING] An error occurred while analyzing '/my/path/dctemp17e6806d-bb17-43e6-a465-37edb79f22fb/check6310213715320141921tmp/37/META-INF/resources/webjars/validate.js/0.8.0/package.json' (Node Security Platform Analyzer).
build 26-Jul-2017 14:21:41 [INFO] Finished Node Security Platform Analyzer (10 seconds)
With the -X switch it looked like it was trying to contact something, but didn't get throught the proxy (which isn't configured for it to use)
2017-07-26 09:36:47,898 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:70
DEBUG - Velocimacro : added VM writeSev: source=templates/csvReport.vsl
2017-07-26 09:36:47,905 org.owasp.dependencycheck.App:184
ERROR - connect timed out
2017-07-26 09:36:47,906 org.owasp.dependencycheck.App:68
DEBUG - Exit code: -14
It looks to me that it's still trying to run the nodeJS check.
Any help would be great.
I'm having an issue with using version 2.1.0 and was wondering if anyone else is having it.
The maven command run by the CI server is this:
mvn --batch-mode clean org.jacoco:jacoco-maven-plugin:prepare-agent install -Dmaven.test.failure.ignore=true org.owasp:dependency-check-maven:2.1.0:check org.owasp:dependency-check-maven:2.1.0:aggregate -Dformat=ALL -DskipProvidedScope=true -DautoUpdate=false -Dmaven.javadoc.failOnError=false -DnuspecAnalyzerEnabled=false -DassemblyAnalyzerEnabled=false -DnodeAnalyzerEnabled=false
The project has the following dependency:
<dependency>
<groupId>org.webjars.npm</groupId>
<artifactId>validate.js</artifactId>
<version>0.8.0</version>
</dependency>
And we get a error message like this:
build 26-Jul-2017 14:21:41 [WARNING] An error occurred while analyzing '/my/path/dctemp17e6806d-bb17-43e6-a465-37edb79f22fb/check6310213715320141921tmp/37/META-INF/resources/webjars/validate.js/0.8.0/package.json' (Node Security Platform Analyzer).
build 26-Jul-2017 14:21:41 [INFO] Finished Node Security Platform Analyzer (10 seconds)
With the -X switch it looked like it was trying to contact something, but didn't get throught the proxy (which isn't configured for it to use)
2017-07-26 09:36:47,898 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:70
DEBUG - Velocimacro : added VM writeSev: source=templates/csvReport.vsl
2017-07-26 09:36:47,905 org.owasp.dependencycheck.App:184
ERROR - connect timed out
2017-07-26 09:36:47,906 org.owasp.dependencycheck.App:68
DEBUG - Exit code: -14
It looks to me that it's still trying to run the nodeJS check.
Any help would be great.
Steve Springett
Aug 3, 2017, 1:47:00 AM8/3/17
to Dependency Check
Jim,
The nodejs analyzer is different than the nsp analyzer. Both analyze package.json, but the nodejs analyzer uses the NVD as the source of vulnerability data whereas the nsp analyzer uses the Node Security Platform API.
— Steve
--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jeremy Long
Aug 5, 2017, 7:34:41 AM8/5/17
to Jim Sellers, Dependency Check
Jim,
As Steve indicated, you should add `-DnspAnalyzerEnabled=false` to your command line.
--Jeremy
--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.
Jim Sellers
Aug 5, 2017, 8:06:22 AM8/5/17
to Dependency Check
Yes, that was exactly what I was doing wrong. Thanks to you both for your help!
Jim
Reply all
Reply to author
Forward
0 new messages