dependency-check-gradle icon indicating copy to clipboard operation
dependency-check-gradle copied to clipboard

Published 20 hours ago verified publisher icon dependency-check

Default scanset omits pnpm-lock.yaml

Open oliver-koell opened this issue 1 year ago • 0 comments

DependencyCheck supports pnpm based frontend projects out of the box with the PnpmAuditAnalyzer.

With the DependencyCheck gradle task this analyzer will not be activated because the default scanset does not include the relevant pnpm-lock.yaml file.

https://github.com/dependency-check/dependency-check-gradle/blob/f59680ae0428d999207dc0c5bc253b48c6c8fb13/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy#L441

The PnpmAuditAnalyzer is skipped because it assumes that no pnpm-lock.yaml is present.

Would it be possible to add pnpm-lock.yaml to the default scanset (as e.g. yarn.lock)?

The default scanset does include the file pnpm.lock, which is probably obsolete - neither does pnpm generate this file, not does the PnpmAuditAnalyzer consider it.

oliver-koell avatar Jan 11 '24 14:01 oliver-koell