Distinguish between devDependencies and Dependencies in Vulnerability report

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Proposal

The customer wants the dependency scan report for npm projects to classify the security findings with an additional field to indicate whether the findings are devDependencies or (production) Dependencies.

The package.json for a npm project allows us to distinguish between devDependencies and Dependencies.

And GitLab Dependency Scanning has a variable called DS_INCLUDE_DEV_DEPENDENCIES to exclude devDependencies. However, there is no way to distinguish (but not exclude) devDependencies in the reports.

Support ticket (internal link): https://gitlab.zendesk.com/agent/tickets/517412 https://gitlab.zendesk.com/agent/tickets/517204