Dependency scanning node_modules file links lead 404
Summary
The report generated by Dependency Scanning's retire.js analyzer contains broken links to node_modules
when the analyzer automatically runs npm install
or yarn install
.
This is a side-effect of gitlab-org/security-products/analyzers/retire.js!9 (merged)
Steps to reproduce
Create a JavaScript project using npm or yarn, configure Dependency Scanning, and run the analyzer. Make sure the scanned project contains no node_modules
directory, only dependency files supported by npm or yarn.
Example Project
See https://gitlab.com/gitlab-org/gitlab-ee/-/jobs/280894064
The generate report contains a link to node_modules/jquery.waitforimages/libs/jquery/jquery.js, which does not exist in the repo.
What is the current bug behavior?
The link is broken because the file doesn't exist in the repo (HTTP 404).
What is the expected correct behavior?
The link points to the dependency file where the affected module is defined. Ideally, it points to the exact line causing the affected package version to be installed. Affected file is one of yarn.lock
, package.json
, or npm-shrinkwrap.json
.
Screenshot
Possible fixes
Update the retire.js analyzer to distinguish when the file where a vulnerability is found is part of the repository or not:
- if the vulnerability is found in a file which is part of the repository, then we use that file as the
location.file
property. - if there vulnerability is found in a file that is not part of the repository, then we use the
package.json
file as thelocation.file
property.