trivy: 0.39.0 - Error with parsing package.json alongside yarn.lock

Description

Running trivy fs --scanners vuln --skip-dirs "node_modules,vendor" ./ on a repository with yarn.lock and package.json files fails with fatal error.

2023-04-03T10:35:11.103+0300	INFO	Vulnerability scanning is enabled
2023-04-03T10:35:11.113+0300	FATAL	filesystem scan error: scan error: scan failed: failed analysis: post analysis error: post analysis error: yarn walk error: unable to parse .: parse error: unable to parse package.json

What did you expect to happen?

Vulnerability scan doesn’t fail with fatal error. The same cannot be reproduced with 0.38.3, package.json parsing was added in 0.39 (#3757).

Output of run with --debug:

2023-04-03T10:25:10.288+0300	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-04-03T10:25:10.292+0300	DEBUG	cache dir:  /home/sharkmachine/.cache/trivy
2023-04-03T10:25:10.292+0300	DEBUG	DB update was skipped because the local DB is the latest
2023-04-03T10:25:10.292+0300	DEBUG	DB Schema: 2, UpdatedAt: 2023-04-03 06:07:03.052991494 +0000 UTC, NextUpdate: 2023-04-03 12:07:03.052991094 +0000 UTC, DownloadedAt: 2023-04-03 07:04:14.573032556 +0000 UTC
2023-04-03T10:25:10.292+0300	INFO	Vulnerability scanning is enabled
2023-04-03T10:25:10.292+0300	DEBUG	Vulnerability type:  [os library]
2023-04-03T10:25:10.292+0300	DEBUG	Walk the file tree rooted at '.' in parallel
2023-04-03T10:25:10.293+0300	DEBUG	Skipping directory: node_modules
2023-04-03T10:25:10.293+0300	DEBUG	Skipping directory: vendor
2023-04-03T10:25:10.302+0300	FATAL	filesystem scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:431
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:266
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:679
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:146
  - post analysis error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:164
  - post analysis error:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:487
  - yarn walk error:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/yarn.yarnAnalyzer.PostAnalyze
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/nodejs/yarn/yarn.go:72
  - unable to parse .:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/yarn.yarnAnalyzer.removeDevDependencies
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/nodejs/yarn/yarn.go:104
  - parse error:
    github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/yarn.yarnAnalyzer.parsePackageJsonDependencies
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/nodejs/yarn/yarn.go:174
  - unable to parse package.json:
    github.com/aquasecurity/go-dep-parser/pkg/nodejs/packagejson.(*Parser).Parse
        /home/runner/go/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20230324043952-2172dc218241/pkg/nodejs/packagejson/parse.go:39

Output of trivy -v:

Version: 0.39.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-04-03 06:07:03.052991494 +0000 UTC
  NextUpdate: 2023-04-03 12:07:03.052991094 +0000 UTC
  DownloadedAt: 2023-04-03 07:04:14.573032556 +0000 UTC

Additional details (base image name, container registry info…):

The same problem can be reproduced with the Debian/Ubuntu deb package version and with the Docker image.

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Reactions: 1
  • Comments: 17

Most upvoted comments

@hwo411 , @SharkMachine I’m happy that I could help you.

However, I’d argue that my package.json wasn’t broken as Yarn itself has been fine with it and hasn’t displayed any warnings.

By default yarn createы version in `package.lock file:

➜  ~ docker run --name node --rm -it node sh

# yarn init
yarn init v1.22.19
question name: app
question version (1.0.0): 
question description: 
question entry point (index.js): 
question repository url: 
question author: 
question license (MIT): 
question private: 
success Saved package.json
Done in 4.50s.

# cat package.json
{
  "name": "app",
  "version": "1.0.0",
  "main": "index.js",
  "license": "MIT"
}

That’s why we thought package.json always included version field.

But we created #3972 to not stop scan when errors occur in enrichment files.

+1
DmitriyLewen on Apr 3, 2023

@BumpeiShimada I meant logs with --debug flag. As in main message.

UPD: I checked this log. Looks like problem in Name or Version field.

+1
DmitriyLewen on Apr 3, 2023

@BumpeiShimada You can send you the debug log and I will try to tell you what the problem is.

+1
DmitriyLewen on Apr 3, 2023

@BumpeiShimada First of all, we don’t think it is our issue. We suppose your package.json has an issue. Could you share your package.json? You can remove or mask something sensitive.

+1
knqyf263 on Apr 3, 2023

@DmitriyLewen Can we change it not to fail on broken package.json files? package.json just enriches the results. We should not fail on the entire scanning. We should show warnings and keep scanning.

+1
knqyf263 on Apr 3, 2023
Read more comments on GitHub
← tracee: Tracee fails on startup after signal other than sigint, doesn't have cleanup behavior
trivy-action: Uploading sarif files: instance.runs[0].tool.driver.rules contains duplicate item →