I've noticed that the plugin fails its scan and return null when it tries to scan a node_module folder link. It tries to go inside the folder but doesn't find a real folder, so it fails and returns error:
WARN] An unexpected error occurred during analysis of '/project/npm-shrinkwrap.json' (Node.js Package Analyzer): null
[ERROR]
java.lang.NullPointerException: null
at org.glassfish.json.JsonObjectBuilderImpl$JsonObjectImpl.getString(JsonObjectBuilderImpl.java:199)
at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.processDependencies(NodePackageAnalyzer.java:253)
at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.processDependencies(NodePackageAnalyzer.java:259)
at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.analyzeDependency(NodePackageAnalyzer.java:226)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:138)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
[INFO] Finished Node.js Package Analyzer (0 seconds)
Monorepo or big projects has lots of submodules with their dependencies and folder links helps npm i for better performances, but this represents a problem for the plugin.
I don't know if it is a bug or a possible feature, but I think it's a good idea to let you know about this behaviour. Is it possible for dependency-check to follow the link and scan the correct folder (and complete correctly the scan) or is it a project self limit if this plugin is used for it?
Thank you very much
I've noticed that the plugin fails its scan and return
nullwhen it tries to scan a node_module folder link. It tries to go inside the folder but doesn't find a real folder, so it fails and returns error:Monorepo or big projects has lots of submodules with their dependencies and folder links helps
npm ifor better performances, but this represents a problem for the plugin.I don't know if it is a bug or a possible feature, but I think it's a good idea to let you know about this behaviour. Is it possible for dependency-check to follow the link and scan the correct folder (and complete correctly the scan) or is it a project self limit if this plugin is used for it?
Thank you very much