trivy: 0.39.0 - Error with parsing package.json alongside yarn.lock
Description
Running trivy fs --scanners vuln --skip-dirs "node_modules,vendor" ./
on a repository with yarn.lock and package.json files fails with fatal error.
2023-04-03T10:35:11.103+0300 INFO Vulnerability scanning is enabled
2023-04-03T10:35:11.113+0300 FATAL filesystem scan error: scan error: scan failed: failed analysis: post analysis error: post analysis error: yarn walk error: unable to parse .: parse error: unable to parse package.json
What did you expect to happen?
Vulnerability scan doesn’t fail with fatal error. The same cannot be reproduced with 0.38.3, package.json parsing was added in 0.39 (#3757).
Output of run with --debug
:
2023-04-03T10:25:10.288+0300 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-04-03T10:25:10.292+0300 DEBUG cache dir: /home/sharkmachine/.cache/trivy
2023-04-03T10:25:10.292+0300 DEBUG DB update was skipped because the local DB is the latest
2023-04-03T10:25:10.292+0300 DEBUG DB Schema: 2, UpdatedAt: 2023-04-03 06:07:03.052991494 +0000 UTC, NextUpdate: 2023-04-03 12:07:03.052991094 +0000 UTC, DownloadedAt: 2023-04-03 07:04:14.573032556 +0000 UTC
2023-04-03T10:25:10.292+0300 INFO Vulnerability scanning is enabled
2023-04-03T10:25:10.292+0300 DEBUG Vulnerability type: [os library]
2023-04-03T10:25:10.292+0300 DEBUG Walk the file tree rooted at '.' in parallel
2023-04-03T10:25:10.293+0300 DEBUG Skipping directory: node_modules
2023-04-03T10:25:10.293+0300 DEBUG Skipping directory: vendor
2023-04-03T10:25:10.302+0300 FATAL filesystem scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.Run
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:431
- scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:266
- scan failed:
github.com/aquasecurity/trivy/pkg/commands/artifact.scan
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:679
- failed analysis:
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
/home/runner/work/trivy/trivy/pkg/scanner/scan.go:146
- post analysis error:
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect
/home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:164
- post analysis error:
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:487
- yarn walk error:
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/yarn.yarnAnalyzer.PostAnalyze
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/nodejs/yarn/yarn.go:72
- unable to parse .:
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/yarn.yarnAnalyzer.removeDevDependencies
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/nodejs/yarn/yarn.go:104
- parse error:
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/yarn.yarnAnalyzer.parsePackageJsonDependencies
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/nodejs/yarn/yarn.go:174
- unable to parse package.json:
github.com/aquasecurity/go-dep-parser/pkg/nodejs/packagejson.(*Parser).Parse
/home/runner/go/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20230324043952-2172dc218241/pkg/nodejs/packagejson/parse.go:39
Output of trivy -v
:
Version: 0.39.0
Vulnerability DB:
Version: 2
UpdatedAt: 2023-04-03 06:07:03.052991494 +0000 UTC
NextUpdate: 2023-04-03 12:07:03.052991094 +0000 UTC
DownloadedAt: 2023-04-03 07:04:14.573032556 +0000 UTC
Additional details (base image name, container registry info…):
The same problem can be reproduced with the Debian/Ubuntu deb package version and with the Docker image.
About this issue
- Original URL
- State: closed
- Created a year ago
- Reactions: 1
- Comments: 17
@hwo411 , @SharkMachine I’m happy that I could help you.
By default
yarn
createыversion
in `package.lock file:That’s why we thought package.json always included
version
field.But we created #3972 to not stop scan when errors occur in enrichment files.
@BumpeiShimada I meant logs with
--debug
flag. As in main message.UPD: I checked this log. Looks like problem in
Name
orVersion
field.@BumpeiShimada You can send you the debug log and I will try to tell you what the problem is.
@BumpeiShimada First of all, we don’t think it is our issue. We suppose your package.json has an issue. Could you share your package.json? You can remove or mask something sensitive.
@DmitriyLewen Can we change it not to fail on broken package.json files?
package.json
just enriches the results. We should not fail on the entire scanning. We should show warnings and keep scanning.