ODC + NPM/Yarn checks
553 views
Skip to first unread message
Olli Rajala
Feb 4, 2021, 3:45:09 AM2/4/21
to Dependency Check
Hello,
I'm trying to take ODC in use in one nodejs project. This is my first time with ODC and npm/yarn, so I may have missed something important... I tried to find any documentation which would help me forward, but no luck.
There seems to be some issues with yarn-analyzer, although I've installed yarn with
c:\> npm install --global yarn
And it seems to work when called directly
C:\>yarn
yarn install v1.22.10
info No lockfile found.
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved lockfile.
Done in 0.05s.
But when running the ODC, it wont' find yarn. I'm running it in Windows just with
c:\>dependency-check\bin\> dependency-check.sh --scan c:\code
2021-02-03 13:17:30,513 org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer:160
DEBUG - The {} has been disabled. Yarn executable was not found.
java.io.IOException: Cannot run program "yarn": CreateProcess error=2, The system cannot find the file specified
at java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1128)
at java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1071)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.prepareFileTypeAnalyzer(YarnAuditAnalyzer.java:140)
at org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer.prepareAnalyzer(AbstractFileTypeAnalyzer.java:83)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.prepare(AbstractAnalyzer.java:102)
at org.owasp.dependencycheck.Engine.initializeAnalyzer(Engine.java:781)
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:617)
at org.owasp.dependencycheck.App.runScan(App.java:254)
at org.owasp.dependencycheck.App.run(App.java:186)
at org.owasp.dependencycheck.App.main(App.java:81)
Caused by: java.io.IOException: CreateProcess error=2, The system cannot find the file specified
at java.base/java.lang.ProcessImpl.create(Native Method)
at java.base/java.lang.ProcessImpl.<init>(ProcessImpl.java:478)
at java.base/java.lang.ProcessImpl.start(ProcessImpl.java:154)
at java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1107)
... 9 common frames omitted
Any ideas/comments? Or how to debug deeper?
Thanks!
-Olli
Jeremy Long
Feb 4, 2021, 6:33:53 AM2/4/21
to Olli Rajala, Dependency Check
Looks like the path is not being correctly passed to the JVM somehow... You say you are on Windows but your command line above is using dependency-check.sh instead of dependency-check.bat?
--Jeremy
--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dependency-check/cfa9e66e-3aad-41c6-91e6-0e0c5680a7aen%40googlegroups.com.
Olli Rajala
Feb 4, 2021, 6:57:25 AM2/4/21
to Dependency Check
Hi,
My bad. I am of course using .bat, not .sh, because this is Windows. That's what happens when you don't copypaste things directly because you want not to reveal any internal details... :/
But yes, for some reason it seems that the path for yarn binary is not passed correctly. But because I didn't find a argument to pass it manually to the odc or configure it somewhere else, I couldn't test more.
I've now tested also that I rebooted the computer, but no luck. Running yarn directly from the cmd.exe works but running the dependency-check.bat from the exactly same cmd.exe does not find the yarn.
Any ideas?
-Olli
Jeremy Long
Feb 4, 2021, 7:09:19 AM2/4/21
to Olli Rajala, Dependency Check
I would double check the PATH variable:
echo %PATH%
If the path to yarn is definitely included (which I'm assuming it is) - then you could set your JAVA_OPTS to explicitly include the path (https://stackoverflow.com/a/21094766/1995422):
set JAVA_OPTS="-DPATH=%PATH%"
I haven't tested that - but it should work.
To view this discussion on the web visit https://groups.google.com/d/msgid/dependency-check/2c802a23-1c50-4581-b720-9ae3fea16762n%40googlegroups.com.
Olli Rajala
Feb 4, 2021, 7:36:07 AM2/4/21
to Dependency Check
Hi,
set JAVA_OPTS="-DPATH=%PATH%"
java "-DPATH= <redacted other paths>;C:\Users\User\AppData\Roaming\npm;<redacted other paths>; " -classpath "C:\temp\dependency-check"\plugins\*;"C:\temp\dependency-check\lib"\* -Dapp.name="dependency-check" -Dapp.repo="C:\temp\dependency-check\lib" -Dapp.home="C:\temp\dependency-check" -Dbasedir="C:\temp\dependency-check" org.owasp.dependencycheck.App -s c:\code
No luck.
C:\>echo %PATH%
<redacted other paths>;C:\Users\User\AppData\Roaming\npm;<redacted other paths>;
C:\>C:\Users\User\AppData\Roaming\npm\yarn
yarn install v1.22.10
[1/4] Resolving packages...
success Already up-to-date.
Done in 0.08s.
And this is the command it finally runs.
set JAVA_OPTS="-DPATH=%PATH%"
java "-DPATH= <redacted other paths>;C:\Users\User\AppData\Roaming\npm;<redacted other paths>; " -classpath "C:\temp\dependency-check"\plugins\*;"C:\temp\dependency-check\lib"\* -Dapp.name="dependency-check" -Dapp.repo="C:\temp\dependency-check\lib" -Dapp.home="C:\temp\dependency-check" -Dbasedir="C:\temp\dependency-check" org.owasp.dependencycheck.App -s c:\code
<redacted>
[WARN] The Yarn Audit Analyzer has been disabled. Yarn executable was not found.
[ERROR] Exception occurred initializing Yarn Audit Analyzer.
<redacted>
And log file says the same as in my first post.
-Olli
Olli Rajala
Feb 4, 2021, 7:39:17 AM2/4/21
to Dependency Check
Hi,
And if it matters, I'm using this as my Java
OpenJDK11U-jdk_x64_windows_hotspot_11.0.9.1_1
It's Win2019 machine updated with the latest updates.
-Olli
Bernd Eckenfels
Feb 4, 2021, 8:01:33 AM2/4/21
to Olli Rajala, Dependency Check
Hello,
Not sure what this discussion ks about but you cannot set the search path which is interpreted by the kernel API via a java system property.
Gruss
Bernd
Von: dependen...@googlegroups.com <dependen...@googlegroups.com> im Auftrag von Olli Rajala <olli....@gmail.com>
Gesendet: Thursday, February 4, 2021 1:36:07 PM
An: Dependency Check <dependen...@googlegroups.com>
Betreff: Re: ODC + NPM/Yarn checks
Gesendet: Thursday, February 4, 2021 1:36:07 PM
An: Dependency Check <dependen...@googlegroups.com>
Betreff: Re: ODC + NPM/Yarn checks
To view this discussion on the web visit
https://groups.google.com/d/msgid/dependency-check/d81ec210-5482-4b0e-bd68-d18931adc8f9n%40googlegroups.com.
Olli Rajala
Feb 9, 2021, 12:58:01 AM2/9/21
to Dependency Check
Hi,
It's about ODC trying to use yarn command and without a way to pass the path for ODC. For some reason ODC does not find yarn even though it's found from the path, and works well when called directly from the cmd.exe. But then ODC does not find it when started from the exactly same cmd.exe.
And I'm out of ideas how to make it work.
-Olli
Jeremy Long
Feb 11, 2021, 6:12:45 AM2/11/21
to Dependency Check
I've added the ability to configure the path to yarn. See https://github.com/jeremylong/DependencyCheck/pull/3134
This will be included in the next release.
--Jeremy
Olli Rajala
Feb 11, 2021, 6:16:13 AM2/11/21
to Dependency Check
Great!
Any estimates when the next release will happen? In next few weeks or in next few months?
Any estimates when the next release will happen? In next few weeks or in next few months?
-Olli
Jeremy Long
Feb 11, 2021, 6:48:55 AM2/11/21
to Olli Rajala, Dependency Check
Weeks
To view this discussion on the web visit https://groups.google.com/d/msgid/dependency-check/95a64077-84c5-4863-9438-97a8c14397edn%40googlegroups.com.
Olli Rajala
Feb 15, 2021, 6:39:34 AM2/15/21
to Dependency Check
Hi,
Just confirming that this solved my issue. And actually I found out that this would have been necessary in the actual build machine where yarn is not found from the path and we can't alter the path variable.
So, now we can proceed with the project related tests.
Thanks!
-Olli
Reply all
Reply to author
Forward
0 new messages