Dependency Scanning is reporting vulnerabilities in .yarn-cache/
Summary
Vulnerabilities are being reported by the Dependency Scanning job in .yarn-cache
, making them hard to remediate for users.
Steps to reproduce
- Create a project using javascript and yarn
- Use one or more vulnerable bootstrap versions
- Run Dependency Scanning
Example Project
https://gitlab.com/gitlab-org/gitlab-ee/pipelines/58243146
What is the current bug behavior?
Vulnerabilities are reported (multiple times) in .yarn-cache/...
. The links to these files are broken and result in 404, since this cache is not part of the repo, but created during job runtime.
What is the expected correct behavior?
Dependencies are reported on files in the repo. If a dependency requires the installation of a vulnerable version of Bootstrap, the vulnerability should be on this declared dependency, so the user can remediate it easily.
Possible fixes
Ignore the .yarn-cache
folder, and make sure the vulnerability is reported on the dependency introducing it.
/cc @gonzoyumo for prioritization
Edited by Philippe Lafoucrière