DependencyCheck: Invalid payload submitted to Node Audit API. Received response code: 400 Bad Request
In our project the dependency-check fails on the Node Audit
analyzer with the error:
Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.
However, this is NOT the same problem as in #2641
Investigating I found out that in fact the payload, which is generated in https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/java/org/owasp/dependencycheck/analyzer/NodeAuditAnalyzer.java#L184, seems not to be accepted by the NPM REST API.
What I did was
- run the dependency check (in my case throught the CLI like this:
dependency-check -s . --disableYarnAudit --log dependencycheck.log
- open the file
dependencycheck.log
and find the payload in there (close to the lineNode Audit Payload
) and copy it - run the call to
https://registry.npmjs.org/-/npm/v1/security/audits
manually with curl or Postman like this
curl --location --request POST 'https://registry.npmjs.org/-/npm/v1/security/audits' \
--header 'Content-Type: application/json' \
--data-raw 'PLACE-PAYLOAD-HERE'
and I get the same error
{
"statusCode": 400,
"error": "Bad Request",
"message": "Invalid package tree, run npm install to rebuild your package-lock.json"
}
When I run npm audit
it works though, so I think it’s not a problem with my package-lock.json
or with NPM.
Here is the payload in our example nodeaudit_payload.txt
So, the problem must be somewhere in NpmPayloadBuilder.java
.
Stripping down the payload on a trial-and-error basis, the error persists and only goes away when the entries in section requires
resemble the entries in section dependencies
- but not sure if that is really the rule.
About this issue
- Original URL
- State: open
- Created 3 years ago
- Reactions: 2
- Comments: 18 (1 by maintainers)
I think this will help https://docs.npmjs.com/cli/v7/commands/npm-audit?v=true#bulk-advisory-endpoint I made use of the new bulk advisory endpoint instead of the plugins default one.
I had the same problem when I upgraded to Node 18+ and npm 8+. The solution with deleting node_modules and package-lock.json, followed by npm install did not work for me.
I came up with this solution, I added the following line of code in the configuration tag for dependency-check-maven plugin in the parent pom.xml, and now its working again.
<nodeAuditAnalyzerUrl>/-/npm/v1/security/advisories/bulk</nodeAuditAnalyzerUrl>
@ryandutton : Under normal circumstances you will not see any error from
npm audit
because this command will first issue a bulk request - different endpoint and different format https://docs.npmjs.com/cli/v8/commands/npm-audit#bulk-advisory-endpoint - and only if that fails it will issue a request to the quick audit endpoint (the one used bydependency-check
). But if you intercept the HTTP request to the bulk endpoint and fail that, then you will see the quick audit endpoint failing just like you see independency-check
So maybe we have two issues here:dependency-check
: try to use the bulk end point first just likenpm audit
npm
: the quick audit endpoint is failing on legitimatepackage-lock.json
(generated bynpm
!)by the way - I only saw this occuring after upgrading by Nx repo to Nx 14.3.5 and Angular 14.0.1
node 16.15.0
andnpm 8.5.5