Zero Dependency-Check

[duvanquind]

Look, I have something in particular that I can't find the reason for what happens: I am doing dependency analysis through this tool, in a pipeline execution

1. Initially I run npm install -g yarn
2. yarn install and yarn build
3. After this I run the Azure Devops plugin where I say the scan path, in this case the yarn.lock. Apparently the task is done correctly but when I publish the vulnerabilities it does not generate any, they appear at zero. Any recommendation ideas, it would be of great help to me. @jeremylong

[chadlwilson]

Assuming you are talking about https://marketplace.visualstudio.com/items?itemName=dependency-check.dependencycheck keep in mind that the Azure DevOps extension is not built/owned by this project.

However note that ODC does not work properly with the output from Yarn Berry (v2+). https://github.com/jeremylong/DependencyCheck/issues/4894 https://github.com/jeremylong/DependencyCheck/issues/4215

Which yarn version are you using and which format/version is your yarn.lock file?

Is the report generating at all? Do you see vulnerabilities with yarn audit manually?

[duvanquind]

The version I am currently using is yarn version 1.22.22 and the yarn.lock file contains v1. And when I run the yarn audit it does generate a vulnerability report. @chadlwilson

[chadlwilson]

Try scanning your project with the ODC CLI on your local machine using similar configuration. If that works, then your problem is with the Azure Dev Ops plugin and you’ll have to ask them.

Anyway, you’re going to need to share more information than that for anyone to help. What you are doing, exactly. What you expect to see. What you actually see.