Dependency Scanning fails to find nodejs vulnerability
Summary
Dependency Scanning fails to find vulnerabilities in nodejs project.
Steps to reproduce
- Create a nodeJS project
- Set Auto Devops to the project.
- Create a
package.json
with an old package containing vulnerabilities (like this)
Example Project
- https://gitlab.com/le.storm1er/autodevopsreact/
- https://gitlab.com/le.storm1er/autodevopsreact/-/jobs/194804171
What is the current bug behavior?
Vulnerabilities are detected while dependency_scanning jobs but are not listed and neither reported in merge request.
What is the expected correct behavior?
Vulnerabilities should be displayed in jobs and reported in merge_request.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Possible fixes
Unknown
Edited by Olivier Gonzalez