Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Yarn #367

Open
quinnturner opened this issue Feb 20, 2021 · 9 comments
Open

Support Yarn #367

quinnturner opened this issue Feb 20, 2021 · 9 comments
Labels
enhancement lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.

Comments

@quinnturner
Copy link

quinnturner commented Feb 20, 2021
edited
Loading

With the release of Dependency-Check v6.1.0 (and subsequent fixes in v6.1.1), Yarn auditing is supported natively.

In this plugin, the logs that I receive during my CI pipeline suggest that Yarn is not directly supported.

INFO: Sensor Dependency-Check [dependencycheck]
INFO: Process Dependency-Check report
INFO: Using JSON-Reportparser
INFO: No project configuration file, e.g. pom.xml, *.gradle, *.gradle.kts, package-lock.json found, therefore it isn't possible to correctly link dependencies with files.

Where the project's sonar-project.properties contains the value:

sonar.sources=src,yarn.lock

Describe the solution you'd like

This plugin should support Yarn now that Dependency-Check supports auditing with yarn audit --verbose with the file yarn.lock.
@quinnturner quinnturner changed the title Support Yarn auditing Support Yarn Feb 20, 2021
@Reamer
Copy link
Member

Reamer commented Feb 22, 2021

Hi @quinnturner,
could you please add a small yarn sample project. So that we are able to generate a dependency check report with yarn dependencies.

@bhoudu
Copy link

bhoudu commented May 25, 2021

one lazy sidestep is to use https://github.com/imsnif/synp to work with yarn.lock file

@sunmorgus
Copy link

Attached is a simple project (hubot, generated using https://github.com/HelloRusk/generator-hubot-yarn) that has a yarn.lock file. The aforementioned project also has a yarn.lock file available for review: https://github.com/HelloRusk/generator-hubot-yarn/blob/master/yarn.lock)

Archive.zip

@github-actions
Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 19, 2022
@Reamer Reamer added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jan 19, 2022
@LvffY
Copy link

LvffY commented Oct 23, 2022

Is there any update on this ? Or any known workaround ?

@DPirate
Copy link

DPirate commented Aug 25, 2023

hello, any update regarding this?

@cpoftea
Copy link

cpoftea commented Oct 12, 2023

Encountered the same issue. Up

@obriat
Copy link

obriat commented May 2, 2024

Same with php's composer.lock (experimental).
This plugin should add a dummy language for thoses files in order to be reported in sonar.
Related to #677

@obriat
Copy link

obriat commented May 3, 2024
edited
Loading

Sonarqube support suggests to "add **/*.lock &etc to the Administration → Languages → Secrets → List of file path patterns"
https://community.sonarsource.com/t/depency-check-and-files-indexed-with-no-language/114604
But it should be cleaner that this plugin provide a specific ".lock" language so lock files will be available into sonar reports
[Edit]
Incorrect solution this settings is about excluding binary files :(

IMHO this plugin should provide a way to force sonar to follow all untracked files returns by depency-check analysis, a failsafe dummy language ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@Reamer @bhoudu @sunmorgus @quinnturner @DPirate @obriat @cpoftea @LvffY