Report vulnerable dependency paths for Yarn (Node.js)
Problem to solve
Dependency Scanning should report the dependency paths for vulnerable dependencies found in Node.js projects using Yarn, so that these paths can be shown in the UI, including in the dependency list. See #227620 (closed)
Proposal
Update the lock file parser specific to this package manager, and make it able to build the dependency graph.
Implementation plan
-
update the specific lock file parser so that it lists dependency links, and release a new version of gemnasium -
update expected Dependency Scanning reports in test projects using this package manager -
update Dependency Scanning documentation and tell dependency paths are supported for this particular package manager
Permissions and Security
N/A
Documentation
Dependency Path support for this particular package manager should be documented in Dependency Scanning documentation.
Availability & Testing
To be tested doing automatically when doing QA for the analyzer project and checking the generated report.
What does success look like, and how can we measure that?
The analyzer reports the dependency paths of the vulnerable dependencies for projects using this package manager.
What is the type of buyer?
Links / references
Edited by Fabien Catteau