Jenkins DependencyCheck插件扫描Node.js程序
问题1 Unable to read yarn audit output.
[DependencyCheck] [ERROR] NodeAuditAnalyzer failed on xxx/package-lock.json - yarn.lock was found; if package-lock.json was generated using synp, it may not be in the correct format.
[DependencyCheck] [ERROR] Unable to read yarn audit output.
Build step ‘Invoke Dependency-Check’ changed build result to FAILURE
解决办法
在执行DependencyCheck之前,先执行npm install && npm run build
问题2 Unable to read pnpm audit output.
[DependencyCheck] [ERROR] Unable to read pnpm audit output.
Build step ‘Invoke Dependency-Check’ changed build result to FAILURE
解决办法
在dependencyCheck 扫描参数中添加配置 --disablePnpmAudit
dependencyCheck完整的配置如下:
--project $projectName --scan $WORKSPACE --format HTML --format XML --format JUNIT --disableYarnAudit --disablePnpmAudit --disableMSBuild --out $WORKSPACE
SonarQube插件配置为:
sonar.projectKey=$projectName
sonar.projectName=$projectName
sonar.projectVersion=$branch
sonar.language=js
sonar.sourceEncoding=UTF-8
sonar.sources=./src
sonar.dependencyCheck.htmlReportPath=${WORKSPACE}/dependency-check-report.html
参考文档
- https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html