Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trivy Node scan can't parse package.json when latest is used as a package version #6747

Closed
2 tasks done
DmitriyLewen opened this issue May 22, 2024 Discussed in #6730 · 0 comments · Fixed by #7110
Closed
2 tasks done

Trivy Node scan can't parse package.json when latest is used as a package version #6747

DmitriyLewen opened this issue May 22, 2024 Discussed in #6730 · 0 comments · Fixed by #7110
Assignees
@DmitriyLewen
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@DmitriyLewen
Copy link
Contributor

Discussed in #6730

Originally posted by abrwn May 20, 2024

Description

When running a trivy scan on a node project, the following warning is shown when a latest version is used for a dependency:

Unable to parse "package.json" to remove dev dependencies: unable to walk dependencies: unable to match version for <package>

Example:

package.json

{
  "devDependencies": {
    "chromedriver": "latest",
    ...
  }
}

yarn.lock

chromedriver@latest:
  version "123.0.4"
  resolved "https://registry.yarnpkg.com/chromedriver/-/chromedriver-123.0.4.tgz#886886c79108b22b10f80925b67cecdc46d41988"
  integrity sha512-3Yi7y7q35kkSAOTbRisiww/SL2w+DqafDPAaUShpSuLMmPaOvHQR0i3bm2/33QBiQ8fUb1J/MzppzVL6IDqvhA==
  dependencies:
    "@testim/chrome-version" "^1.1.4"
    axios "^1.6.7"
    compare-versions "^6.1.0"
    extract-zip "^2.0.1"
    proxy-agent "^6.4.0"
    proxy-from-env "^1.1.0"
    tcp-port-used "^1.0.2"

Since latest is a valid version, should trivy be able to parse this?

Desired Behavior

Trivy scanner is able to parse latest version in package.json

Actual Behavior

Node scan can't parse package.json when latest is used as a package version, and therefore can't ignore dev dependencies.

Reproduction Steps

1. Include package with `latest` tag in package.json
2. Run `yarn` to create lock file
3. Run trivy node scanner on project, eg `trivy fs --scanners vuln --skip-dirs "node_modules" $1 --severity HIGH,CRITICAL --ignore-unfixed \
  --show-suppressed --exit-code 1`

Target

Filesystem

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

2024-05-20T14:55:49.257Z	INFO	Vulnerability scanning is enabled
2024-05-20T14:55:49.281Z	WARN	Unable to parse "package.json" to remove dev dependencies: unable to walk dependencies: unable to match version for chromedriver
2024-05-20T14:55:49.309Z	INFO	Number of language-specific files: 1
2024-05-20T14:55:49.309Z	INFO	Detecting yarn vulnerabilities...

Operating System

linux

Version

Installed using `curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.50.2`

Checklist
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
1 participant
@DmitriyLewen