Dependency Scanning is reporting vulnerabilities in .yarn-cache/
Vulnerabilities are being reported by the Dependency Scanning job in
.yarn-cache, making them hard to remediate for users.
Steps to reproduce
- Use one or more vulnerable bootstrap versions
- Run Dependency Scanning
What is the current bug behavior?
Vulnerabilities are reported (multiple times) in
.yarn-cache/.... The links to these files are broken and result in 404, since this cache is not part of the repo, but created during job runtime.
What is the expected correct behavior?
Dependencies are reported on files in the repo. If a dependency requires the installation of a vulnerable version of Bootstrap, the vulnerability should be on this declared dependency, so the user can remediate it easily.
.yarn-cache folder, and make sure the vulnerability is reported on the dependency introducing it.
/cc @gonzoyumo for prioritization