Where is the web page/site for atlassian/bitbucket-dependency-scanner?

@Paul S hi.

You mean this one: bitbucket-dependency-scanner?

Additionally here is the pipe link to repository.

To discover more pipes: Bitbucket Pipes 


Regards, Igor

@Oleksandr Kyrdan @Igor Stoyanov  Hi, why does this warning happen in the first place? Do I need to enable something somewhere to get rid of it?

Using atlassian/bitbucket-dependency-scanner:0.3.0 - it completes successfully but ends with:

"WARNING: Skip to create annotations because of HTTP error.400 Client Error: Bad Request for url ..."

HTTP error 400 implies a malformed API request...?

@Anders Ervik Hi.
Thanks for your question.
Please, next time create your own topic, for your own issue.
Try to update the pipe version to 0.4.0 and see if a problem still happen.

Regards, Igor

@Igor Stoyanov Apologies, this reads like the same issue to me and the underlying issue seems to persist. Version 0.4.0 gives same warning.

Thanks for your reply though, it sounds like it should have worked without any external configuration, so that's helpful too.

My project is a monorepo with 9 npm projects scanned at once. Now I suspect the problem has to do with scale. I ran the pipe with DEBUG=true and examined the JSON-dump before it sends the annotations: 

The JSON is 21kb, it has 13 annotation objects with `external_id`, `annotation_type`, `details` etc. The only thing that stands out is some of the 'details' fields are over 4k. I'd wager the Bitbucket annotation API does not support this large fields, but I don't have time to confirm. F.ex this one:

```

[{'external_id': 'e01eb8f4-83a1-459a-a5c6-33523ad6194e', 'annotation_type': 'VULNERABILITY', 'severity': 'moderate', 'summary': 'GHSA-9r9m-ffp6-9x4v in @intlify/core-base:10.0.4', 'path': '[REDACTED]/package-lock.json?vue-i18n:10.0.4/@intlify/core-base:10.0.4', 'details': '### Vulnerability type\nXSS\n\n### Description\nvue-i18n can be passed locale messages to `createI18n` or `useI18n`.\nwe can then translate them using `t` and `$t`.\nvue-i18n has its own syntax for local messages, and uses a message compiler to generate AST.\nIn order to maximize the performance of the translation function, vue-i18n uses bundler plugins such as `@intlify/unplugin-vue-i18n` and bulder to convert the AST in advance when building the application.\nBy using that AST as the locale message, it is no longer necessary to compile, and it is possible to translate using the AST.\n\nThe AST generated by the message compiler has special properties for each node in the AST tree to maximize performance. In the PoC example below, it is a `static` property, but that is just one of the optimizations.\nAbout details of special properties, see https://github.com/intlify/vue-i18n/blob/master/packages/message-compiler/src/nodes.ts\n\nIn general, the locale messages of vue-i18n are optimized during production builds using `@intlify/unplugin-vue-i18n`,\nso there is always a property that is attached during optimization like this time.\nBut if you are using a locale message AST in development mode or your own, there is a possibility of XSS if a third party injects.\n\n### Reproduce (PoC)\n```html\n<!doctype html>\n<html>\n <head>\n <meta charset="utf-8" />\n <title>vue-i18n XSS</title>\n <script src="https://unpkg.com/vue@3"></script>\n <script src="https://unpkg.com/vue-i18n@10"></script>\n <!-- Scripts that perform prototype contamination, such as being distributed from malicious hosting sites or injected through supply chain attacks, etc. -->\n <script>\n /**\n * Prototype pollution vulnerability with `Object.prototype`.\n * The \'static\' property is part of the optimized AST generated by the vue-i18n message compiler.\n * About details of special properties, see https://github.com/intlify/vue-i18n/blob/master/packages/message-compiler/src/nodes.ts\n *\n * In general, the locale messages of vue-i18n are optimized during production builds using `@intlify/unplugin-vue-i18n`,\n * so there is always a property that is attached during optimization like this time.\n * But if you are using a locale message AST in development or your own, there is a possibility of XSS if a third party injects prototype pollution code.\n */\n Object.defineProperty(Object.prototype, \'static\', {\n configurable: true,\n get() {\n alert(\'prototype polluted!\')\n return \'prototype pollution\'\n }\n })\n </script> \n </head>\n <body>\n <div id="app">\n <p>{{ t(\'hello\') }}</p>\n </div>\n <script>\n const { createApp } = Vue\n const { createI18n, useI18n } = VueI18n\n\n // AST style locale message, which build by `@intlify/unplugin-vue-i18n`\n const en = {\n hello: {\n type: 0,\n body: {\n items: [\n {\n type: 3,\n value: \'hello world!\'\n }\n ]\n }\n }\n }\n\n const i18n = createI18n({\n legacy: false,\n locale: \'en\',\n messages: {\n en\n }\n })\n\n const app = createApp({\n setup() {\n const { t } = useI18n()\n return { t }\n }\n })\n app.use(i18n)\n app.mount(\'#app\')\n </script>\n </body>\n</html>\n```\n\n### Workarounds\nBefore v10.0.0, we can work around this vulnerability by using the regular compilation (`jit: false` of `@intlify/unplugin-vue-i18n` plugin configuration) way instead of jit compilation.\n- jit compilation: https://vue-i18n.intlify.dev/guide/advanced/optimization.html#jit-compilation\n- bundler plugin option: https://github.com/intlify/bundle-tools/tree/main/packages/unplugin-vue-i18n#jitcompilation\n\n### References\n- [Simillar case: Vue 2 XSS vulnerability with prototype pollution](https://www.herodevs.com/vulnerability-directory/cve-2024-6783)\n'},

```

@Anders Ervik . Thanks for the additional details. Our team will investigate this.

Regards, Igor

@Igor Stoyanov Finally got around to reproduce it here. The full error message from the annotations API is:

{
key: 'report-service.general.bad-request',
message: 'The details field cannot contain more than 2000 characters.',
arguments: {}
}

Also tried with a long summary:

{
key: 'report-service.general.bad-request',
message: 'The summary field cannot contain more than 450 characters.',
arguments: {}
}

... based on modified examples from https://developer.atlassian.com/cloud/bitbucket/rest/api-group-reports/#api-repositories-workspace-repo-slug-commit-commit-reports-reportid-annotations-post

Wishlist:

• Pipe prints full response from server on non-200 HTTP statuses
• Pipe truncates summary and details at their respective size limits

Hi @Anders Ervik 

The new version with improvements is released:

script:
  - pipe: atlassian/bitbucket-dependency-scanner:0.5.0

Best regards,
Oleksandr Kyrdan

Hi Igor,
im using this owasp dependency check pipe