Retire.js analyzer needs node_modules directory
Summary
The Retire.js Analyzer for Dependency Scanning
fails to analyze a npm or yarn project where there's no node_modules directory.
It should run npm install or yarn install depending on what's detected.
Steps to reproduce
- Create a npm or yarn project that depends on an affected version of some npm library
- Configure a
dependency_scanningjob. - Run a pipeline.
There may be DS vulnerabilities reported by Gemnasium but no vulnerabilities reported by Retire.js.
Retire.js complains with Need to run npm install ?.
Example Projects
- https://gitlab.com/gitlab-org/security-products/tests/js-npm/-/jobs/147711847
- https://gitlab.com/gitlab-org/security-products/tests/js-yarn/-/jobs/147268457
What is the current bug behavior?
No vulnerabilities reported by retire.js when dependencies are not vendored.
What is the expected correct behavior?
Retire.js should reported vulnerabilities.
Relevant logs and/or screenshots
See log of this dependency_scanning job:
2019/01/18 11:39:04 [retire.js] Detect project using plugin
2019/01/18 11:39:04 [retire.js] Project is compatible
2019/01/18 11:39:04 [retire.js] Starting analyzer...
2: Pulling from gitlab-org/security-products/analyzers/retire.js
cd784148e348: Already exists
...
Digest: sha256:4c6acb9e4baf3389e49b2e3b23dbf40a108357bec921dfc57cd752fd34560542
Status: Downloaded newer image for registry.gitlab.com/gitlab-org/security-products/analyzers/retire.js:2
Found project in /tmp/app
Missing version for @nuxtjs/axios. Need to run npm install ?
Missing version for @nuxtjs/browserconfig. Need to run npm install ?
...Possible fixes
Update Retire.js Analyzer
and make it npm install or yarn install when there's no node_modules directory in the repo.