Using Endor Labs, developers can:
- Test their software for potential issues and violations of organizational policy
- Prioritize vulnerabilities in the context of their applications
- Understand the relationships between software components in their applications
- Install software prerequisites
- Run a scan
- Understand the scan process
- Troubleshoot errors
Install software prerequisites
Endor Labs requires the following pre-requisite software to be installed to successfully perform a scan:
- Yarn: Any version
- NPM: 6.14.18 or higher versions
- PNPM: 3.0.0 or higher versions
Make sure that you have the following minimum system specification requirements:
Processor Memory 4-core 16 GB
Ensure your repo has package.json and run the following command making sure it builds the project successfully.
If the project is not built, endorctl builds the project during the scan and generate either package-lock.json, yarn.lock, or pnpm-lock.yaml file. Make sure that either NPM, Yarn, or PNPM is installed on your system. If your repository includes a lock file, endorctl uses the existing file for dependency resolution and does not create it again.
Run a scan
Perform a scan to get visibility into your software composition and resolve dependencies.
To detect dependencies when using PNPM:
If you are using PNPM, set the environment variable
true and then run the scan.
To detect phantom dependencies:
To detect dependencies used in source code but not declared in the package’s manifest files, set the flag
endorctl scan --phantom-dependencies
You can perform the scan from within the root directory of the git project repository, and save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.
endorctl scan -o json | tee /path/to/results.json
You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.
Understand the scan process
Dependency analysis tools analyze the lock file of an npm, yarn, or pnpm based package and attempt to resolve dependencies. To resolve dependencies from private repositories, the settings of the .npmrc file in the repository is considered.
- Dependencies listed in the manifest file but not used by the application
- Dependencies used by the application but not listed in the manifest file
- Dependencies listed in the manifest as transitive but used directly by the application
- Dependencies categorized as test in the manifest, but used directly by the application
Developers can eliminate the false positives, false negatives, and easily identify test dependencies with this analysis. The dependencies used in source code but not declared in the package’s manifest files are tagged as Phantom.
Scan speed is enhanced if the lock file exists in the repository. endorctl does not perform a build and uses the existing files in the repository for analysis.
- Endor Labs doesn’t currently support local package references
- If a dependency can not be resolved in the lock file, building that specific package may be unsuccessful. This package may have been removed from npm or the .npmrc file is not properly configured. Other packages in the workspace are scanned as usual.
- Unresolved dependency errors:
The manifest file package.json is not buildable. Try running
yarn install, or
pnpm installin the root project to debug this error.
- Resolved dependency errors: A version of a dependency does not exist or it cannot be found. It may have been removed from the repository.
Was this page helpful? Send your feedback to firstname.lastname@example.org