DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

Highlighting findings that are not related(or related) to Dev dependencies

Open almaz045 opened this issue 1 year ago • 0 comments

We want to prioritize the findings from the report. I have question:

  1. Are findings in the report highlighted from DevDependencies when scanning package-lock.json? We wanted to prioritize the findings based on whether the package was in development or not. When run with --nodeAuditSkipDevDependencies and --nodePackageSkipDevDependencies, packages from development are ignored, but this is not highlighted in the report.

  2. And one more question: usually developers transfer only package.json and package-lock.json to repositories. When we scan only them, the results have not a lot findings. If you do npm install then node_modules will be created, and the report will have a lot of findings. Please tell me, is it necessary to always run npm install before running ODC?

almaz045 avatar Feb 08 '24 10:02 almaz045