NSP analysis failure : invalid payload

[Gaël LE BELLEGO]

Hi,

I encounter the same problem than the one stated in this thread using maven plugin (the very basic way).

Caused by: org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions occurred during dependency-check analysis
    Could not perform NSP analysis. Invalid payload submitted to Node Security Platform.

Should I diactivate the NSP analysis, the build will run to success.
Otherwise, it will keep failing as soon as It starts working on the following package.json (though I don't know whether this content is the actual cause or the entry point of the real cause):

{
     "name": "esri",
     "version": "3.7",
     "directories": {
         "lib": "."
     },
     "main": "main",
     "description": "The ArcGIS API for JavaScript (JavaScript API) is a browser based API for developing high performance, easy to use mapping applications. The API allows you to easily embed maps in your Web pages. The JavaScript API is hosted by ESRI on ArcGIS Online and is available for free use, subject to the terms and conditions.",
     "keywords": [
         "Esri",
         "ArcGIS",
         "JavaScript"
     ],
     "homepage": "http://js.arcgis.com",
     "dojoBuild": "esri.profile.js"
 }

Fi, the file is not located under node_modules

• Java  : 1.8u151
• Maven : 3.3.9
• Plugin : 3.02

I am very unfamiliar with the related techno here : thus, this may be obvious to you (and not to me!).
Any idea here?



Regards,

Gaël

[Steve Springett]

Gaël,

The package json file supplied is invalid. In fact, using the native ‘nsp check’ command will result in the following message:

Response Error: 400 Bad Request Error: child "package" fails because [child "version" fails because ["version" with value "3.7" fails to match the required pattern: /\d+\.\d+\.\d+(-*)?/]]

This is saying that the value of ‘version’ does not conform to the semantic versioning requirements of package.json. Refer to https://docs.npmjs.com/files/package.json#version

Changing 3.7 to 3.7.0 in package.json should fix the issue.

— Steve

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Gaël LE BELLEGO]

Steve,

thanks for pointing out the problem.
And also, thanks for showing how to perform a stand alone analysis with the nsp analyzer.

In order for later similar problem to be easier to check, here's the full way to perform this nsp check :

1. download source from https://github.com/nodesecurity/nsp
2. ensure you have NodeJs 6+ installed. If you have not : install it from https://nodejs.org/en/download/current/
3. follow install instructions (from the README.md) : basically npm install -g nsp
4. run npm check [path] with the path pointing to the directory (and not the file!) where you package.json stands.

regards!