Closed bestbeforetoday closed 1 year ago
OSV-Scanner run against the package-lock.json could detect vulnerabilities in dev packages. Instead, generate a CycloneDX Software Bill of Materials (SBOM), excluding dev dependencies, and run OSV-Scanner against the SBOM.
OSV-Scanner run against the package-lock.json could detect vulnerabilities in dev packages. Instead, generate a CycloneDX Software Bill of Materials (SBOM), excluding dev dependencies, and run OSV-Scanner against the SBOM.