Open awoodobvio opened 4 months ago
Would be good to at least get the list of packages and have them be "unknown" licenses if you can't infer (package-lock.json seems to have license information in the later versions, but yarn-lock doesn't). I'd rather have a quality gate fail than pass.
Had a tough time getting this plugin to work since we don't scan our code base with sonarqube with node_modules present. Our other license scanner uses package-lock.json or yarn.lock and was hoping this one would do the same.
Workaround: make sure
npm ci
oryarn install
was called prior to running sonar-scanner.