Node 15 / npm 7 lockfile version 2 fails Gemnasium scan
Summary
Running Gemnasium on a Node project using npm 7's lockfileVersion: 2 throws the following error:
[FATA] [Gemnasium] [2020-10-29T19:02:20Z] ▶ Wrong file format versionFurther details
Gemnasium v2.25.0 only supports v1 of npm lock files, and v2 is a breaking change:
- the
dependenciesobject is similar to the one of v1, but top level objects no longer have aversion - there's a new
packagesobject that lists all the dependencies, including those are local to a package; this is what should be used to extract package versions
Steps to reproduce
- Create a project using Node 15 / npm 7
- Run
npm installto create a lockfile - Run a Gemnasium job in project's CI/CD pipeline
Example Project
- public project where this issue was first reported: https://gitlab.com/chet.manley/create-node-project
- branch of the js-npm that demonstrates the problem: https://gitlab.com/gitlab-org/security-products/tests/js-npm/-/commits/lockfileVersion2
What is the current bug behavior?
Gemnasium throws fatal error and job fails.
What is the expected correct behavior?
Gemnasium scans the project.
Relevant logs and/or screenshots
https://gitlab.com/chet.manley/create-node-project/-/jobs/819980620
$ /analyzer run
[INFO] [Gemnasium] [2020-10-29T19:02:19Z] ▶ GitLab Gemnasium analyzer v2.20.0
[INFO] [Gemnasium] [2020-10-29T19:02:19Z] ▶ Found project in /builds/chet.manley/create-node-project
[FATA] [Gemnasium] [2020-10-29T19:02:20Z] ▶ Wrong file format versionOutput of checks
This bug happens on GitLab.com
Possible fixes
- implement support for lock file v2 in parser/npm, and add a specific QA job for this, connected to a new branch of tests/js-npm
- document the existing limitation
Implementation plan
-
document the currently supported versions of npm in https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#supported-languages-and-package-managers
Edited by Fabien Catteau