Is your feature request related to a problem? Please describe.
Using yarn berry with workspaces doesn't work right now. Would be great to also support this updated version of yarn.
Tried with the latest CLI version: ./dependency-check.sh --out . --scan ...
Repository to reproduce: https://github.com/Purii/yarn-monorepo-example
Result:
[INFO] Analysis Started
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[WARN] No lock file exists - this will result in false negatives; please run `npm install --package-lock`
[WARN] Analyzing `/Users/../yarn-monorepo-example/packages/package-b/package.json` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-check
[WARN] No lock file exists - this will result in false negatives; please run `npm install --package-lock`
[WARN] Analyzing `/Users/../yarn-monorepo-example/packages/package-a/package.json` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-check
[INFO] Finished Node.js Package Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (0 seconds)
[INFO] Finished CPE Analyzer (0 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[WARN] An unexpected error occurred during analysis of '/Users/../yarn-monorepo-example/yarn.lock' (Yarn Audit Analyzer): No value present
[ERROR]
java.util.NoSuchElementException: No value present
at java.base/java.util.Optional.get(Optional.java:143)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.fetchYarnAuditJson(YarnAuditAnalyzer.java:241)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzePackage(YarnAuditAnalyzer.java:281)
at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzeDependency(YarnAuditAnalyzer.java:106)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:833)
[INFO] Finished Yarn Audit Analyzer (0 seconds)
[INFO] Finished RetireJS Analyzer (4 seconds)
[WARN] Unable to determine Package-URL identifiers for 5286 dependencies
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (1 seconds)
[INFO] Analysis Complete (8 seconds)
[INFO] Writing report to: /Users/../dependency-check/bin/./dependency-check-report.html
[ERROR] No value present
Describe the solution you'd like
There's already a comment in another thread: jeremylong/DependencyCheck#4215 (comment)
These commands are not valid for latest versions of yarn anymore: https://github.com/jeremylong/DependencyCheck/blob/aa73c256dff0f8253ab259f871d38d7193e92191/core/src/main/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzer.java#L214
Since yarn berry is very different to yarn classic, I suggest to treat it as a separate dependency manager instead of extending the existing yarn implementation.
Is your feature request related to a problem? Please describe.
Using
yarn berrywith workspaces doesn't work right now. Would be great to also support this updated version of yarn.Tried with the latest CLI version:
./dependency-check.sh --out . --scan ...Repository to reproduce: https://github.com/Purii/yarn-monorepo-example
Result:
Describe the solution you'd like
There's already a comment in another thread: jeremylong/DependencyCheck#4215 (comment)
These commands are not valid for latest versions of yarn anymore: https://github.com/jeremylong/DependencyCheck/blob/aa73c256dff0f8253ab259f871d38d7193e92191/core/src/main/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzer.java#L214
Since yarn berry is very different to yarn classic, I suggest to treat it as a separate dependency manager instead of extending the existing yarn implementation.