DependencyCheck: Invalid payload submitted to Node Audit API. Received response code: 400 Bad Request

In our project the dependency-check fails on the Node Audit analyzer with the error:

Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.

However, this is NOT the same problem as in #2641

Investigating I found out that in fact the payload, which is generated in https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/java/org/owasp/dependencycheck/analyzer/NodeAuditAnalyzer.java#L184, seems not to be accepted by the NPM REST API.

What I did was

  • run the dependency check (in my case throught the CLI like this: dependency-check -s . --disableYarnAudit --log dependencycheck.log
  • open the file dependencycheck.log and find the payload in there (close to the line Node Audit Payload) and copy it
  • run the call to https://registry.npmjs.org/-/npm/v1/security/audits manually with curl or Postman like this
curl --location --request POST 'https://registry.npmjs.org/-/npm/v1/security/audits' \
--header 'Content-Type: application/json' \
--data-raw 'PLACE-PAYLOAD-HERE'

and I get the same error

{
    "statusCode": 400,
    "error": "Bad Request",
    "message": "Invalid package tree, run  npm install  to rebuild your package-lock.json"
}

When I run npm audit it works though, so I think it’s not a problem with my package-lock.json or with NPM.

Here is the payload in our example nodeaudit_payload.txt

So, the problem must be somewhere in NpmPayloadBuilder.java.

Stripping down the payload on a trial-and-error basis, the error persists and only goes away when the entries in section requires resemble the entries in section dependencies - but not sure if that is really the rule.

About this issue

  • Original URL
  • State: open
  • Created 3 years ago
  • Reactions: 2
  • Comments: 18 (1 by maintainers)

Most upvoted comments

@delenikov Can you explain why does it solve issue? I’ve tried it and it works, but I want to understand why

I think this will help https://docs.npmjs.com/cli/v7/commands/npm-audit?v=true#bulk-advisory-endpoint I made use of the new bulk advisory endpoint instead of the plugins default one.

I had the same problem when I upgraded to Node 18+ and npm 8+. The solution with deleting node_modules and package-lock.json, followed by npm install did not work for me.

I came up with this solution, I added the following line of code in the configuration tag for dependency-check-maven plugin in the parent pom.xml, and now its working again.

<nodeAuditAnalyzerUrl>/-/npm/v1/security/advisories/bulk</nodeAuditAnalyzerUrl>

@ryandutton : Under normal circumstances you will not see any error from npm audit because this command will first issue a bulk request - different endpoint and different format https://docs.npmjs.com/cli/v8/commands/npm-audit#bulk-advisory-endpoint - and only if that fails it will issue a request to the quick audit endpoint (the one used by dependency-check). But if you intercept the HTTP request to the bulk endpoint and fail that, then you will see the quick audit endpoint failing just like you see in dependency-check So maybe we have two issues here:

  • one with dependency-check: try to use the bulk end point first just like npm audit
  • one with npm : the quick audit endpoint is failing on legitimate package-lock.json (generated by npm!)

by the way - I only saw this occuring after upgrading by Nx repo to Nx 14.3.5 and Angular 14.0.1 node 16.15.0 and npm 8.5.5