Open
Description
With the release of Dependency-Check
v6.1.0 (and subsequent fixes in v6.1.1), Yarn auditing is supported natively.
In this plugin, the logs that I receive during my CI pipeline suggest that Yarn is not directly supported.
INFO: Sensor Dependency-Check [dependencycheck]
INFO: Process Dependency-Check report
INFO: Using JSON-Reportparser
INFO: No project configuration file, e.g. pom.xml, *.gradle, *.gradle.kts, package-lock.json found, therefore it isn't possible to correctly link dependencies with files.
Where the project's sonar-project.properties
contains the value:
sonar.sources=src,yarn.lock
Describe the solution you'd like
This plugin should support Yarn now that Dependency-Check
supports auditing with yarn audit --verbose
with the file yarn.lock
.
Metadata
Metadata
Assignees
Labels
Indicates that an issue or PR should not be auto-closed due to staleness.Indicates that an issue or PR should not be auto-closed due to staleness.