Closed Muzietto closed 2 years ago
Hi. I will check it out. In the meantime, you could try an workaround by specifying the bin
CLI option and setting it to some folder outside your project. The check module will then use this path to download the dependency check CLI to.
But if your project is a Node.js project (you mention node_modules), then I thing a better option is to specify --scan=package-lock.json
. Every NPM dependency you have, should be in this file and the check will be much faster.
And how do you know, that your project is not analyzed? Do you expect there to be some vulnerabilities, which you do not see in the report (beside the ones from the owasp bin itself right now)?
But if your project is a Node.js project (you mention node_modules), then I thing a better option is to specify
--scan=package-lock.json
. Every NPM dependency you have, should be in this file and the check will be much faster.
I followed your advice and it worked!!
On top of that, the directory dependency-check-bin
was ignored.
Thank you very much.
Is it necessary to scan node_modules as well?
Already asked on Stack Overflow without result . Re-trying here...
I am trying to use the NPM module owasp-dependency-check in order to highlight possible vulnerabilities in the code of my web project. I have installed version 0.0.18, the latest.
I want to analyse the custom code I wrote (directory
src
) and the libraries my project depends on (directorynode_modules
).The task in package.json (section
scripts
) reads:After the launch, it seems that the instructions have been specified correctly:
After about 10 minutes of execution, I find a file
owasp/dependency-check-report.html
with size of 61MB (!?!). I view it in the browser and it contains the analysis of the sole directorydependency-check-bin
, which is the directory where theowasp-dependency-check
NPM module installs some executables and which I explicitly try to skip in the analysis.(ironically, there are 6 medium-to-critical vulnerabilities in the libraries that the dependency checker itself uses...)
My question is: what is wrong with my task definition in package.json? How should I invoke owasp-dependency-check in order to scan
node_modules
andsrc
?