Scanning npm project stops after some minutes with no result

[jbackes]

Describe the bug
I have a very basic angular project (see attached package.json package.json.zip, it's zipped since github does not support json attachments). When clicking the refresh button in the JFrog pane, the plugin starts doing something, i.e. it logs "Found npm project: c:......" and the status bar says "Xray: Scanning for vulnerabilities..." After about 5 minutes, the status bar is empty again but nothing else happens, no log entry etc. Jfrog pane just says "Nothing to show".

Three more notes:

1. A different, maven based project just works perfectly fine (scan just takes a few seconds)
2. I also tried Eclipse with the exact same result
3. There is no network traffic at all and according to jstack, the plugin is executing something with NpmDriver.list for a very very long time

To Reproduce
Use the attached package.json package.json.zip and scan it

Expected behavior
Scan results

Versions

• JFrog IDEA plugin version: 1.7.0
• Operating system: Windows 10 19042.746
• Xray version: 2.7.6

[yahavi]

Thanks for reporting this issue, @jbackes.
We couldn't reproduce this issue:

Please check the following:

1. The npm project has to be identified by Intellij as a project. Please make sure you opened the directory contains the package.json file - do not open the package.json itself.
2. The plugin does not install the npm dependencies. Please make sure to run npm install and then click on the refresh button.
3. To skip scanning test dependencies, projects containing the word test in their name are excluded from scanning. For example, dependencies under test-project will be excluded. You can view the exclusions in the plugin configuration near "npm excluded paths".

If all of the above didn't work for you, you can enable debug mode. See Troubleshooting.
Please also let me know if that helps.

[jbackes]

Hi @yahavi and thanks for your reply!

I already checked all your recommendations:

• Intellij identifies the project
• The package.json is there but I did not open it
• I executed npm install
• The project does not contain test in its name but to be sure I removed the test from the excluded paths - makes no difference
• I enabled debug logging which makes no difference in logging (still just the "Found npm project....." message is logged)

The only difference I see between your test and my setup: You seem to be using MacOS, I'm using Windows 10 and I think there is some platform specific code in the NpmDriver class so maybe....
Tomorrow I will be able to test with a Macbook, I will report back :-)

[yahavi]

@jbackes,
Thanks for your response.

Interesting! If you figure out what is the platform-specific code in the NpmDriver, please let me know.
Looking forward to your feedback tomorrow.

[jbackes]

@yahavi I tested today with a Macbook and it just works. So maybe it has to do with my Windows machine or with Windows in general, I don't know. The NpmDriver class uses
https://github.com/jfrog/build-info/blob/0f256145612c5fc35a7f8ea724f82c487ab5347d/build-info-extractor/src/main/java/org/jfrog/build/extractor/executor/CommandExecutor.java#L158
and in this class you have some platform-specific code. Specifically, with Windows, commands are executed using cmd.exe, and /bin/sh otherwise (which makes sense). I don't know if this makes any difference in practice. One of the npm commands executed by the plugin (npm ls --json --long) outputs around 27 MiB of json, maybe that's a problem for cmd.exe. It would be nice to have at least one more person with the same problem ;-)

[yahavi]

@jbackes
Thanks for this information. The command executor is in use in many of our products. Therefore I'm doubtful there is a logical error in this component.
The point you raised with the 27MiB is interesting. Would you like to try increasing the heap size of IntelliJ? You can find a guide here: https://www.jetbrains.com/help/idea/increasing-memory-heap.html

Please let me know if that helped.

[jbackes]

@yahavi
I already tried that before posting here :-) My MacOS Intellij only has 2GiB of heap, Windows Intellij had 4 GiB and I increased it to 8 GiB (makes no difference).
I don't think either that command executor has a logical error but maybe (it's just a guess) cmd.exe <-> Java has a problem with large data blobs. You did not test this under Windows, did you?

[yahavi]

@jbackes,
Thanks for your feedback.

The command executor is a base component for many plugins we maintain - Jenkins Artifactory plugin, Bamboo Artifactory plugin, this plugin, and more. It has extensive tests for each platform, including unit tests and integration tests. All tests run on Windows and Linux (see Appveyor.yml). We also perform an extensive sanity process before each release. However, due to dependency on many environments and tools, sometimes issues may happen.

In the last releases (1.9.0 and 1.9.1) we resolved some issue popped up in npm 7 (see this PR).
What is your npm version?