Dev dependency exclusion is not working properly

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.44k stars 1.28k forks source link

Dev dependency exclusion is not working properly #6520

Open sametr35 opened 8 months ago

sametr35 commented 8 months ago

Hi,

Even though we scan our JavaScript repository dependencies, excluding dev dependencies, vulnerabilities in dev dependencies are still being reported. We utilize the following configurations in GitHub Actions.

  - name: Generate dependency vulnerability list
    continue-on-error: true
    uses: dependency-check/Dependency-Check_Action@main
    id: depcheck
    with:
      project: 'Project Name'
      path: '.'
      format: 'ALL'
      args: >
        --nodeAuditSkipDevDependencies

Thanks.

sametr35 commented 8 months ago

+up

jeremylong commented 8 months ago

Please see the documentation: https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html

There are two analyzers that deal with nodeJS. So try:

--nodePackageSkipDevDependencies

Or even:

--disableNodeJS

I might go with the later as the package analyzer needs to be re-written or thrown away.