Dependency Scanning is reporting vulnerabilities in .yarn-cache/

Summary

Vulnerabilities are being reported by the Dependency Scanning job in .yarn-cache, making them hard to remediate for users.

Steps to reproduce

Create a project using javascript and yarn
Use one or more vulnerable bootstrap versions
Run Dependency Scanning

Example Project

https://gitlab.com/gitlab-org/gitlab-ee/pipelines/58243146

What is the current bug behavior?

Vulnerabilities are reported (multiple times) in .yarn-cache/.... The links to these files are broken and result in 404, since this cache is not part of the repo, but created during job runtime.

What is the expected correct behavior?

Dependencies are reported on files in the repo. If a dependency requires the installation of a vulnerable version of Bootstrap, the vulnerability should be on this declared dependency, so the user can remediate it easily.

Possible fixes

Ignore the .yarn-cache folder, and make sure the vulnerability is reported on the dependency introducing it.

/cc @gonzoyumo for prioritization

Edited Apr 24, 2019 by Philippe Lafoucrière