With the release of Dependency-Check v6.1.0 (and subsequent fixes in v6.1.1), Yarn auditing is supported natively.

In this plugin, the logs that I receive during my CI pipeline suggest that Yarn is not directly supported.

INFO: Sensor Dependency-Check [dependencycheck]
INFO: Process Dependency-Check report
INFO: Using JSON-Reportparser
INFO: No project configuration file, e.g. pom.xml, *.gradle, *.gradle.kts, package-lock.json found, therefore it isn't possible to correctly link dependencies with files.

Where the project's sonar-project.properties contains the value:

sonar.sources=src,yarn.lock

Describe the solution you'd like

This plugin should support Yarn now that Dependency-Check supports auditing with yarn audit --verbose with the file yarn.lock.