google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev
https://google.github.io/osv-scanner/
Apache License 2.0
6.23k stars 358 forks source link

Scan and report dependency groups of vulnerabilities for Yarn #799

Open Ais8Ooz8 opened 8 months ago

Ais8Ooz8 commented 8 months ago

Need the same mechanism https://github.com/google/osv-scanner/pull/655 using dependencies and devDependencies from package.json

cuixq commented 8 months ago

@Ais8Ooz8 thank you for your feedback!

For Yarn, devDependencies are specified in pacakge.json and osv-scanner currently scans yarn.lock for vulnerabilities. We can report dependency groups for Yarn once we support scanning package.json.

Ais8Ooz8 commented 5 months ago

Up

cuixq commented 5 months ago

Related issue to support manifest scanning: https://github.com/google/osv-scanner/issues/416

github-actions[bot] commented 3 months ago

This issue has not had any activity for 60 days and will be automatically closed in two weeks