Dependency scanning node_modules file links lead 404

Summary

The report generated by Dependency Scanning's retire.js analyzer contains broken links to node_modules when the analyzer automatically runs npm install or yarn install.

This is a side-effect of gitlab-org/security-products/analyzers/retire.js!9 (merged)

Steps to reproduce

Create a JavaScript project using npm or yarn, configure Dependency Scanning, and run the analyzer. Make sure the scanned project contains no node_modules directory, only dependency files supported by npm or yarn.

Example Project

See https://gitlab.com/gitlab-org/gitlab-ee/-/jobs/280894064

The generate report contains a link to node_modules/jquery.waitforimages/libs/jquery/jquery.js, which does not exist in the repo.

What is the current bug behavior?

The link is broken because the file doesn't exist in the repo (HTTP 404).

What is the expected correct behavior?

The link points to the dependency file where the affected module is defined. Ideally, it points to the exact line causing the affected package version to be installed. Affected file is one of yarn.lock, package.json, or npm-shrinkwrap.json.

Screenshot

Possible fixes

Update the retire.js analyzer to distinguish when the file where a vulnerability is found is part of the repository or not:

• if the vulnerability is found in a file which is part of the repository, then we use that file as the location.file property.
• if there vulnerability is found in a file that is not part of the repository, then we use the package.json file as the location.file property.