Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is npm install required for ODC to analyze all dependencies of a node project #7451

Open
Kaidey opened this issue Feb 21, 2025 · 1 comment
Open

Is npm install required for ODC to analyze all dependencies of a node project #7451

Kaidey opened this issue Feb 21, 2025 · 1 comment
Labels
question

Comments

@Kaidey
Copy link

Kaidey commented Feb 21, 2025
edited
Loading

Hi. Going straight to the point, I would like to know if running npm install/npm ci is a requirement for ODC to be able to analyze all dependencies of a node project with Node Audit Analyzer. Now for context:

I'm working on a yml template which purpose is to perform vulnerability analysis in a technology-agnostic fashion for multiple AzDo pipelines. My team works with repos containing either nuget, node or python (poetry) dependencies and we would like to avoid running npm install (or equivalent for other technologies) on this template, as it is intended to run separately from any build jobs.

We've been successfull in running ODC without restore/install for repos containing nuget/python dependencies, but for node we noticed that, without npm install/ci, only npm's transitive dependencies (npm/*) are scanned. However, running npm audit with and without npm install produces the same output.

From the documentation I wasn't able to surmise if we are having misconfiguration issues or if this is the expected behaviour of ODC's Node Audit Analyzer (we've disabled Node Package Analyzer as per the recommendation in #6437), but since on both the previously linked issue and also #6291 it is mentioned that "node audit analyzer is equivalent to just running npm audit", I am a little confused as to why ODC produces a different output on both scenarios and npm audit does not.

I've also skimmed the source code of the tool and my understading is that it grabs package/package-lock files and, from them, prepares the payload to be sent to npm audit API, including in the report whatever the API returns.

On a final note, our npmrc is pointing to an internal, private AzDo npm feed and npm authentication to the feed is set. We theorized that the private feed might have something to do with the different behaviours since npm audit has access to the feed while ODC does not, thus requiring the dependencies to be installed. Could this claim be verified?

Environment details:

Lockfile version: 2
ODC: v12.1.0
Node: v18.19.1
Npm: v10.2.4
OS: Ubuntu20.04
ODC AzDo task: v6.2.3

Dependency management files tracked by node repos: package.json and package-lock.json

Command used to run ODC:

dependency-check.sh --project <project> --scan <pathToRepositoryRoot> --disableNodeJS --disableBundleAudit --nodeAuditSkipDevDependencies --nvdDatafeed <secret> --connectionString <secret> --dbDriverPath <driverPath> --dbDriverName <driverName> --dbPassword <secret> --dbUser <secret>
@jeremylong
Copy link
Collaborator

can you run npm audit without running install? because that is all ODC is doing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeremylong @Kaidey