NPM utilize package-lock.json or yarn.lock for packages if node_modules not present

porscheinformatik / sonarqube-licensecheck

SonarQube Licensecheck Plugin

Apache License 2.0

156 stars 58 forks source link

NPM utilize package-lock.json or yarn.lock for packages if node_modules not present #422

Open awoodobvio opened 4 months ago

awoodobvio commented 4 months ago

Had a tough time getting this plugin to work since we don't scan our code base with sonarqube with node_modules present. Our other license scanner uses package-lock.json or yarn.lock and was hoping this one would do the same.

Workaround: make sure npm ci or yarn install was called prior to running sonar-scanner.

awoodobvio commented 4 months ago

Would be good to at least get the list of packages and have them be "unknown" licenses if you can't infer (package-lock.json seems to have license information in the later versions, but yarn-lock doesn't). I'd rather have a quality gate fail than pass.