Trivy Node scan can't parse package.json when `latest` is used as a package version #6730

abrwn · 2024-05-20T15:57:33Z

abrwn
May 20, 2024

Description

When running a trivy scan on a node project, the following warning is shown when a latest version is used for a dependency:

Unable to parse "package.json" to remove dev dependencies: unable to walk dependencies: unable to match version for <package>

Example:

package.json

{
  "devDependencies": {
    "chromedriver": "latest",
    ...
  }
}

yarn.lock

chromedriver@latest:
  version "123.0.4"
  resolved "https://registry.yarnpkg.com/chromedriver/-/chromedriver-123.0.4.tgz#886886c79108b22b10f80925b67cecdc46d41988"
  integrity sha512-3Yi7y7q35kkSAOTbRisiww/SL2w+DqafDPAaUShpSuLMmPaOvHQR0i3bm2/33QBiQ8fUb1J/MzppzVL6IDqvhA==
  dependencies:
    "@testim/chrome-version" "^1.1.4"
    axios "^1.6.7"
    compare-versions "^6.1.0"
    extract-zip "^2.0.1"
    proxy-agent "^6.4.0"
    proxy-from-env "^1.1.0"
    tcp-port-used "^1.0.2"

Since latest is a valid version, should trivy be able to parse this?

Desired Behavior

Trivy scanner is able to parse latest version in package.json

Actual Behavior

Node scan can't parse package.json when latest is used as a package version, and therefore can't ignore dev dependencies.

Reproduction Steps

1. Include package with `latest` tag in package.json
2. Run `yarn` to create lock file
3. Run trivy node scanner on project, eg `trivy fs --scanners vuln --skip-dirs "node_modules" $1 --severity HIGH,CRITICAL --ignore-unfixed \
  --show-suppressed --exit-code 1`

Target

Filesystem

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

2024-05-20T14:55:49.257Z	INFO	Vulnerability scanning is enabled
2024-05-20T14:55:49.281Z	WARN	Unable to parse "package.json" to remove dev dependencies: unable to walk dependencies: unable to match version for chromedriver
2024-05-20T14:55:49.309Z	INFO	Number of language-specific files: 1
2024-05-20T14:55:49.309Z	INFO	Detecting yarn vulnerabilities...

Operating System

linux

Version

Installed using `curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.50.2`

Checklist

Run trivy image --reset
Read the troubleshooting

DmitriyLewen · 2024-05-22T08:23:50Z

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Trivy Node scan can't parse package.json when `latest` is used as a package version #6730

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Trivy Node scan can't parse package.json when latest is used as a package version #6730

abrwn May 20, 2024

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 1 comment

DmitriyLewen May 22, 2024 Maintainer

Trivy Node scan can't parse package.json when `latest` is used as a package version #6730

abrwn
May 20, 2024

DmitriyLewen
May 22, 2024
Maintainer