Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scanning NPM packages prints warnings #4039

Closed
PeterBurner opened this issue Apr 12, 2023 · 3 comments · Fixed by #4893
Closed

Scanning NPM packages prints warnings #4039

PeterBurner opened this issue Apr 12, 2023 · 3 comments · Fixed by #4893
Assignees
@DmitriyLewen
Labels
priority/backlog Higher priority than priority/awaiting-more-evidence. triage/support Indicates an issue that is a support question.
Milestone
v0.42.0

Comments

@PeterBurner
Copy link

What I am trying to do

I am trying to scan a NPM monorepo with multiple package.json files an one top level package-lock.json for licenses.
Command:

trivy fs --scanners license .

What I get as a result

Console output 
2023-04-12T10:35:58.972+0200    INFO    Loaded trivy.yaml
2023-04-12T10:35:58.983+0200    INFO    Full license scanning is enabled
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-sqs@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@azure/eventgrid@^4.11.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: 'jsrsasign@^10.8.1'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-lambda@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: 'async-mqtt@^2.6.3'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: 'retry-as-promised@^7.0.4'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/lib-dynamodb@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: 'jose@^4.13.1'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-iot@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-secrets-manager@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-dynamodb@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-iot-data-plane@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-iot-jobs-data-plane@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-s3@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/metrics@^1.8.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/tracer@^1.8.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-dynamodb@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/lib-dynamodb@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/commons@^1.8.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/logger@^1.8.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: 'jose@^4.13.1'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: 'lodash@^4.17.21'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/commons@^1.8.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/logger@^1.8.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/metrics@^1.8.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/tracer@^1.8.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-dynamodb@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-iot@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-iot-data-plane@^3.310.0'
2023-04-12T10:36:02.819+0200    WARN    Cannot resolve the version: '@aws-sdk/client-s3@^3.310.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/logger@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/metrics@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/tracer@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-sdk/client-dynamodb@^3.310.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/commons@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/logger@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/commons@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-sdk/client-iot-data-plane@^3.310.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/metrics@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-sdk/client-iot@^3.310.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-sdk/util-dynamodb@^3.310.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-sdk/lib-dynamodb@^3.310.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/tracer@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-sdk/client-dynamodb@^3.310.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/logger@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/metrics@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/tracer@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: 'jose@^4.13.1'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: 'lodash@^4.17.21'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/commons@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/metrics@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/tracer@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-sdk/client-dynamodb@^3.310.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-sdk/lib-dynamodb@^3.310.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-sdk/util-dynamodb@^3.310.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/commons@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/logger@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/logger@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/metrics@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/tracer@^1.8.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-sdk/client-dynamodb@^3.310.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-sdk/lib-dynamodb@^3.310.0'
2023-04-12T10:36:02.820+0200    WARN    Cannot resolve the version: '@aws-lambda-powertools/commons@^1.8.0'

package-lock.json (license)

Total: 75 (UNKNOWN: 0, LOW: 75, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌──────────────────────┬──────────────┬────────────────┬──────────┐
│       Package        │   License    │ Classification │ Severity │
├──────────────────────┼──────────────┼────────────────┼──────────┤
│ agent-base           │ MIT          │ Notice         │ LOW      │
├──────────────────────┤              │                │          │
│ async-hook-jl        │              │                │          │
├──────────────────────┤              │                │          │
│ async-mqtt           │              │                │          │
├──────────────────────┤              │                │          │
│ asynckit             │              │                │          │
├──────────────────────┤              │                │          │
│ atomic-batcher       │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ aws-xray-sdk-core    │ Apache-2.0   │                │          │
├──────────────────────┼──────────────┤                │          │
│ balanced-match       │ MIT          │                │          │
├──────────────────────┤              │                │          │
│ base64-js            │              │                │          │
├──────────────────────┤              │                │          │
│ bl                   │              │                │          │
├──────────────────────┤              │                │          │
│ bowser               │              │                │          │
├──────────────────────┤              │                │          │
│ brace-expansion      │              │                │          │
├──────────────────────┤              │                │          │
│ buffer               │              │                │          │
├──────────────────────┤              │                │          │
│ buffer-from          │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ cls-hooked           │ BSD-2-Clause │                │          │
├──────────────────────┼──────────────┤                │          │
│ combined-stream      │ MIT          │                │          │
├──────────────────────┤              │                │          │
│ commist              │              │                │          │
├──────────────────────┤              │                │          │
│ concat-map           │              │                │          │
├──────────────────────┤              │                │          │
│ concat-stream        │              │                │          │
├──────────────────────┤              │                │          │
│ debug                │              │                │          │
├──────────────────────┤              │                │          │
│ delayed-stream       │              │                │          │
├──────────────────────┤              │                │          │
│ duplexify            │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ emitter-listener     │ BSD-2-Clause │                │          │
├──────────────────────┼──────────────┤                │          │
│ end-of-stream        │ MIT          │                │          │
├──────────────────────┤              │                │          │
│ fast-xml-parser      │              │                │          │
├──────────────────────┤              │                │          │
│ form-data            │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ fs.realpath          │ ISC          │                │          │
├──────────────────────┤              │                │          │
│ glob                 │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ help-me              │ MIT          │                │          │
├──────────────────────┤              │                │          │
│ http-proxy-agent     │              │                │          │
├──────────────────────┤              │                │          │
│ https-proxy-agent    │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ ieee754              │ BSD-3-Clause │                │          │
├──────────────────────┼──────────────┤                │          │
│ inflight             │ ISC          │                │          │
├──────────────────────┤              │                │          │
│ inherits             │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ jose                 │ MIT          │                │          │
├──────────────────────┤              │                │          │
│ js-sdsl              │              │                │          │
├──────────────────────┤              │                │          │
│ jsrsasign            │              │                │          │
├──────────────────────┤              │                │          │
│ leven                │              │                │          │
├──────────────────────┤              │                │          │
│ lodash               │              │                │          │
├──────────────────────┤              │                │          │
│ lodash.merge         │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ lru-cache            │ ISC          │                │          │
├──────────────────────┼──────────────┤                │          │
│ mime-db              │ MIT          │                │          │
├──────────────────────┤              │                │          │
│ mime-types           │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ minimatch            │ ISC          │                │          │
├──────────────────────┼──────────────┤                │          │
│ minimist             │ MIT          │                │          │
├──────────────────────┤              │                │          │
│ mnemonist            │              │                │          │
├──────────────────────┤              │                │          │
│ mqtt                 │              │                │          │
├──────────────────────┤              │                │          │
│ mqtt-packet          │              │                │          │
├──────────────────────┤              │                │          │
│ ms                   │              │                │          │
├──────────────────────┤              │                │          │
│ number-allocator     │              │                │          │
├──────────────────────┤              │                │          │
│ obliterator          │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ once                 │ ISC          │                │          │
├──────────────────────┼──────────────┤                │          │
│ path-is-absolute     │ MIT          │                │          │
├──────────────────────┤              │                │          │
│ process-nextick-args │              │                │          │
├──────────────────────┤              │                │          │
│ pump                 │              │                │          │
├──────────────────────┤              │                │          │
│ readable-stream      │              │                │          │
├──────────────────────┤              │                │          │
│ reinterval           │              │                │          │
├──────────────────────┤              │                │          │
│ retry-as-promised    │              │                │          │
├──────────────────────┤              │                │          │
│ rfdc                 │              │                │          │
├──────────────────────┤              │                │          │
│ safe-buffer          │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ semver               │ ISC          │                │          │
├──────────────────────┼──────────────┤                │          │
│ shimmer              │ BSD-2-Clause │                │          │
├──────────────────────┼──────────────┤                │          │
│ split2               │ ISC          │                │          │
├──────────────────────┼──────────────┤                │          │
│ stack-chain          │ MIT          │                │          │
├──────────────────────┤              │                │          │
│ stream-shift         │              │                │          │
├──────────────────────┤              │                │          │
│ string_decoder       │              │                │          │
├──────────────────────┤              │                │          │
│ strnum               │              │                │          │
├──────────────────────┼──────────────┼────────────────┤          │
│ tslib                │ 0BSD         │ Unencumbered   │          │
│                      │              │                │          │
│                      │              │                │          │
├──────────────────────┼──────────────┼────────────────┤          │
│ typedarray           │ MIT          │ Notice         │          │
├──────────────────────┤              │                │          │
│ util-deprecate       │              │                │          │
├──────────────────────┤              │                │          │
│ uuid                 │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ wrappy               │ ISC          │                │          │
├──────────────────────┼──────────────┤                │          │
│ ws                   │ MIT          │                │          │
├──────────────────────┤              │                │          │
│ xtend                │              │                │          │
├──────────────────────┼──────────────┤                │          │
│ yallist              │ ISC          │                │          │
└──────────────────────┴──────────────┴────────────────┴──────────┘

What I expected

I expected Trivy to scan my dependencies and print the assessed licenses for the whole dependency graph in a table.

My setup

trivy.yaml 
license:
  full: true
scan:
  scanners:
    - vuln
    - secret
    - config
    - license
vulnerability:
  ignore-unfixed: false
  type: os,library
Project structure 
.
├── README.md
├── functions
│   ├── fun-1
│   │   ├── package.json
│   │   ├── src
│       │   └── ...
│   │   └── tsconfig.json
│   ├── fun-2
│   │   ├── package.json
│   │   ├── src
│       │   └── ...
│   │   └── tsconfig.json
│   └── fun-3
│       ├── package.json
│       ├── src
│       │   └── ...
│       └── tsconfig.json
├── node_modules
│   └── ...
├── package-lock.json
├── package.json
├── trivy.yaml
└── tsconfig.json

My questions

  • What can I do to fix the warnings? A big part of my dependencies is simply missing from the result table.
  • Is there a way to evaluate all the package.json files inside node_modules? According to the documentation for filesystem scanning this is intentionally disabled. Why? I am aware that there are A LOT of files but shouldn't the users decide how long they are willing to wait for the scan to conclude?
  • Same for the devDependencies. Is there a way to enable NPM dev dependency scanning and if not, why?
@PeterBurner PeterBurner added the triage/support Indicates an issue that is a support question. label Apr 12, 2023
@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Apr 18, 2023
edited
Loading

Hello @PeterBurner
Thanks for your report!

What can I do to fix the warnings? A big part of my dependencies is simply missing from the result table.

Can you share link to your repository or package-lock.json file? i will investigate why you got these warnings.

Is there a way to evaluate all the package.json files inside node_modules

Use rootfs mode for this.

Is there a way to enable NPM dev dependency scanning and if not, why?

Release package does not include dev dependencies. That's why we are excluding dev deps so users don't have to worry about dependencies that aren't included in the release.

@DmitriyLewen DmitriyLewen self-assigned this Apr 18, 2023
@PeterBurner
Copy link
Author

Wow. rootfs works like a charm. Also no warnings there. Thank you very much!
I never would have thought of that. You should make it more obvious in your documentation that normal folders count as "unpacked filesystem". In hindsight it makes total sense.

As requested here is a zip of my dependency files. I can reproduce the warnings with its contents.

@DmitriyLewen
Copy link
Contributor

docs have information about all supported languages and modes to scanning them - https://aquasecurity.github.io/trivy/v0.40/docs/vulnerability/detection/language/

As requested here is a zip of my dependency files. I can reproduce the warnings with its contents.

Thanks a lot! I will investigate this and write to you.

@DmitriyLewen DmitriyLewen mentioned this issue Apr 19, 2023
Merged
@knqyf263 knqyf263 added this to the v0.42.0 milestone May 8, 2023
@knqyf263 knqyf263 added the priority/backlog Higher priority than priority/awaiting-more-evidence. label May 8, 2023
@aquasecurity aquasecurity locked and limited conversation to collaborators May 10, 2023
@knqyf263 knqyf263 converted this issue into discussion #4296 May 10, 2023

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees

@DmitriyLewen DmitriyLewen

Labels
priority/backlog Higher priority than priority/awaiting-more-evidence. triage/support Indicates an issue that is a support question.
Projects
None yet
Milestone
v0.42.0
Development

Successfully merging a pull request may close this issue.

fix(nodejs): add support of local packages for package-lock.json DmitriyLewen/trivy
3 participants
@knqyf263 @PeterBurner @DmitriyLewen