jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.41k stars 1.27k forks source link

How to exclude dev-dependency in report #6977

Open weihan1394 opened 1 month ago

weihan1394 commented 1 month ago

Following from the discussion from this issue created before (https://github.com/jeremylong/DependencyCheck/issues/1806)

Is there a way to exclude the dev-dependency from the dependency-check scan. I realize that with --nodeAuditSkipDevDependencies it just does not scan the dev-dependencies but in the HTML report it still reflect the dependency in dev-dependency. Hope anyone could share more insight if it could be remove from the report.

Thank you.

jeremylong commented 1 month ago

Try adding --disableNodeJS. There are a couple of JS analyzers and that one can cause the dev dependencies to be included and there isn't a way to exclude them. You might also need to disable the retire JS analyzer.