Scanning NPM packages prints warnings #4296

PeterBurner · 2023-04-12T09:08:30Z

PeterBurner
Apr 12, 2023

What I am trying to do

I am trying to scan a NPM monorepo with multiple package.json files an one top level package-lock.json for licenses.
Command:

trivy fs --scanners license .

What I get as a result

Console output

2023-04-12T10:35:58.972+0200    INFO    Loaded trivy.yaml
2023-04-12T10:35:58.983+0200    INFO    Full license scanning is enabled
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-sqs@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@azure/eventgrid@^4.11.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: 'jsrsasign@^10.8.1'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-lambda@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: 'async-mqtt@^2.6.3'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: 'retry-as-promised@^7.0.4'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/lib-dynamodb@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: 'jose@^4.13.1'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-iot@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-secrets-manager@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-dynamodb@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-iot-data-plane@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-iot-jobs-data-plane@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-s3@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/metrics@^1.8.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/tracer@^1.8.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-dynamodb@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/lib-dynamodb@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/commons@^1.8.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/logger@^1.8.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: 'jose@^4.13.1'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: 'lodash@^4.17.21'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/commons@^1.8.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/logger@^1.8.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/metrics@^1.8.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/tracer@^1.8.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-dynamodb@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-iot@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-iot-data-plane@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-s3@^3.310.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/logger@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/metrics@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/tracer@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-sdk/client-dynamodb@^3.310.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/commons@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/logger@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/commons@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-sdk/client-iot-data-plane@^3.310.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/metrics@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-sdk/client-iot@^3.310.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-sdk/util-dynamodb@^3.310.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-sdk/lib-dynamodb@^3.310.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/tracer@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-sdk/client-dynamodb@^3.310.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/logger@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/metrics@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/tracer@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: 'jose@^4.13.1'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: 'lodash@^4.17.21'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/commons@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/metrics@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/tracer@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-sdk/client-dynamodb@^3.310.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-sdk/lib-dynamodb@^3.310.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-sdk/util-dynamodb@^3.310.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/commons@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/logger@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/logger@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/metrics@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/tracer@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-sdk/client-dynamodb@^3.310.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-sdk/lib-dynamodb@^3.310.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/commons@^1.8.0'

package-lock.json (license)

Total: 75 (UNKNOWN: 0, LOW: 75, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌──────────────────────┬──────────────┬────────────────┬──────────┐
│       Package        │   License    │ Classification │ Severity │
├──────────────────────┼──────────────┼────────────────┼──────────┤
│ agent-base           │ MIT          │ Notice         │ LOW      │
├──────────────────────┤              │                │          │
│ async-hook-jl        │              │                │          │
├──────────────────────┤              │                │          │
│ async-mqtt           │              │                │          │
├──────────────────────┤              │                │          │
│ asynckit             │              │                │          │
├──────────────────────┤              │                │          │
│ atomic-batcher       │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ aws-xray-sdk-core    │ Apache-2.0   │                │          │
├──────────────────────┼──────────────┤                │          │
│ balanced-match       │ MIT          │                │          │
├──────────────────────┤              │                │          │
│ base64-js            │              │                │          │
├──────────────────────┤              │                │          │
│ bl                   │              │                │          │
├──────────────────────┤              │                │          │
│ bowser               │              │                │          │
├──────────────────────┤              │                │          │
│ brace-expansion      │              │                │          │
├──────────────────────┤              │                │          │
│ buffer               │              │                │          │
├──────────────────────┤              │                │          │
│ buffer-from          │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ cls-hooked           │ BSD-2-Clause │                │          │
├──────────────────────┼──────────────┤                │          │
│ combined-stream      │ MIT          │                │          │
├──────────────────────┤              │                │          │
│ commist              │              │                │          │
├──────────────────────┤              │                │          │
│ concat-map           │              │                │          │
├──────────────────────┤              │                │          │
│ concat-stream        │              │                │          │
├──────────────────────┤              │                │          │
│ debug                │              │                │          │
├──────────────────────┤              │                │          │
│ delayed-stream       │              │                │          │
├──────────────────────┤              │                │          │
│ duplexify            │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ emitter-listener     │ BSD-2-Clause │                │          │
├──────────────────────┼──────────────┤                │          │
│ end-of-stream        │ MIT          │                │          │
├──────────────────────┤              │                │          │
│ fast-xml-parser      │              │                │          │
├──────────────────────┤              │                │          │
│ form-data            │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ fs.realpath          │ ISC          │                │          │
├──────────────────────┤              │                │          │
│ glob                 │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ help-me              │ MIT          │                │          │
├──────────────────────┤              │                │          │
│ http-proxy-agent     │              │                │          │
├──────────────────────┤              │                │          │
│ https-proxy-agent    │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ ieee754              │ BSD-3-Clause │                │          │
├──────────────────────┼──────────────┤                │          │
│ inflight             │ ISC          │                │          │
├──────────────────────┤              │                │          │
│ inherits             │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ jose                 │ MIT          │                │          │
├──────────────────────┤              │                │          │
│ js-sdsl              │              │                │          │
├──────────────────────┤              │                │          │
│ jsrsasign            │              │                │          │
├──────────────────────┤              │                │          │
│ leven                │              │                │          │
├──────────────────────┤              │                │          │
│ lodash               │              │                │          │
├──────────────────────┤              │                │          │
│ lodash.merge         │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ lru-cache            │ ISC          │                │          │
├──────────────────────┼──────────────┤                │          │
│ mime-db              │ MIT          │                │          │
├──────────────────────┤              │                │          │
│ mime-types           │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ minimatch            │ ISC          │                │          │
├──────────────────────┼──────────────┤                │          │
│ minimist             │ MIT          │                │          │
├──────────────────────┤              │                │          │
│ mnemonist            │              │                │          │
├──────────────────────┤              │                │          │
│ mqtt                 │              │                │          │
├──────────────────────┤              │                │          │
│ mqtt-packet          │              │                │          │
├──────────────────────┤              │                │          │
│ ms                   │              │                │          │
├──────────────────────┤              │                │          │
│ number-allocator     │              │                │          │
├──────────────────────┤              │                │          │
│ obliterator          │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ once                 │ ISC          │                │          │
├──────────────────────┼──────────────┤                │          │
│ path-is-absolute     │ MIT          │                │          │
├──────────────────────┤              │                │          │
│ process-nextick-args │              │                │          │
├──────────────────────┤              │                │          │
│ pump                 │              │                │          │
├──────────────────────┤              │                │          │
│ readable-stream      │              │                │          │
├──────────────────────┤              │                │          │
│ reinterval           │              │                │          │
├──────────────────────┤              │                │          │
│ retry-as-promised    │              │                │          │
├──────────────────────┤              │                │          │
│ rfdc                 │              │                │          │
├──────────────────────┤              │                │          │
│ safe-buffer          │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ semver               │ ISC          │                │          │
├──────────────────────┼──────────────┤                │          │
│ shimmer              │ BSD-2-Clause │                │          │
├──────────────────────┼──────────────┤                │          │
│ split2               │ ISC          │                │          │
├──────────────────────┼──────────────┤                │          │
│ stack-chain          │ MIT          │                │          │
├──────────────────────┤              │                │          │
│ stream-shift         │              │                │          │
├──────────────────────┤              │                │          │
│ string_decoder       │              │                │          │
├──────────────────────┤              │                │          │
│ strnum               │              │                │          │
├──────────────────────┼──────────────┼────────────────┤          │
│ tslib                │ 0BSD         │ Unencumbered   │          │
│                      │              │                │          │
│                      │              │                │          │
├──────────────────────┼──────────────┼────────────────┤          │
│ typedarray           │ MIT          │ Notice         │          │
├──────────────────────┤              │                │          │
│ util-deprecate       │              │                │          │
├──────────────────────┤              │                │          │
│ uuid                 │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ wrappy               │ ISC          │                │          │
├──────────────────────┼──────────────┤                │          │
│ ws                   │ MIT          │                │          │
├──────────────────────┤              │                │          │
│ xtend                │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ yallist              │ ISC          │                │          │
└──────────────────────┴──────────────┴────────────────┴──────────┘

What I expected

I expected Trivy to scan my dependencies and print the assessed licenses for the whole dependency graph in a table.

My setup

trivy.yaml

license:
  full: true
scan:
  scanners:
    - vuln
    - secret
    - config
    - license
vulnerability:
  ignore-unfixed: false
  type: os,library

Project structure

.
├── README.md
├── functions
│   ├── fun-1
│   │   ├── package.json
│   │   ├── src
│       │   └── ...
│   │   └── tsconfig.json
│   ├── fun-2
│   │   ├── package.json
│   │   ├── src
│       │   └── ...
│   │   └── tsconfig.json
│   └── fun-3
│       ├── package.json
│       ├── src
│       │   └── ...
│       └── tsconfig.json
├── node_modules
│   └── ...
├── package-lock.json
├── package.json
├── trivy.yaml
└── tsconfig.json

My questions

What can I do to fix the warnings? A big part of my dependencies is simply missing from the result table.
Is there a way to evaluate all the package.json files inside node_modules? According to the documentation for filesystem scanning this is intentionally disabled. Why? I am aware that there are A LOT of files but shouldn't the users decide how long they are willing to wait for the scan to conclude?
Same for the devDependencies. Is there a way to enable NPM dev dependency scanning and if not, why?

DmitriyLewen · 2023-04-18T08:26:20Z

DmitriyLewen
Apr 18, 2023
Maintainer

Hello @PeterBurner
Thanks for your report!

What can I do to fix the warnings? A big part of my dependencies is simply missing from the result table.

Can you share link to your repository or package-lock.json file? i will investigate why you got these warnings.

Is there a way to evaluate all the package.json files inside node_modules

Use rootfs mode for this.

Is there a way to enable NPM dev dependency scanning and if not, why?

Release package does not include dev dependencies. That's why we are excluding dev deps so users don't have to worry about dependencies that aren't included in the release.

0 replies

PeterBurner · 2023-04-18T10:52:05Z

PeterBurner
Apr 18, 2023
Author

Wow. rootfs works like a charm. Also no warnings there. Thank you very much!
I never would have thought of that. You should make it more obvious in your documentation that normal folders count as "unpacked filesystem". In hindsight it makes total sense.

As requested here is a zip of my dependency files. I can reproduce the warnings with its contents.

0 replies

DmitriyLewen · 2023-04-19T03:03:17Z

DmitriyLewen
Apr 19, 2023
Maintainer

docs have information about all supported languages and modes to scanning them - https://aquasecurity.github.io/trivy/v0.40/docs/vulnerability/detection/language/

As requested here is a zip of my dependency files. I can reproduce the warnings with its contents.

Thanks a lot! I will investigate this and write to you.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Scanning NPM packages prints warnings #4296

{{title}}

Replies: 3 comments

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

Scanning NPM packages prints ﻿warnings #4296

PeterBurner Apr 12, 2023

What I am trying to do

What I get as a result

What I expected

My setup

My questions

Replies: 3 comments

DmitriyLewen Apr 18, 2023 Maintainer

PeterBurner Apr 18, 2023 Author

DmitriyLewen Apr 19, 2023 Maintainer

Scanning NPM packages prints warnings #4296

PeterBurner
Apr 12, 2023

DmitriyLewen
Apr 18, 2023
Maintainer

PeterBurner
Apr 18, 2023
Author

DmitriyLewen
Apr 19, 2023
Maintainer