Support Yarn

[quinnturner]

With the release of Dependency-Check v6.1.0 (and subsequent fixes in v6.1.1), Yarn auditing is supported natively.

In this plugin, the logs that I receive during my CI pipeline suggest that Yarn is not directly supported.

INFO: Sensor Dependency-Check [dependencycheck]
INFO: Process Dependency-Check report
INFO: Using JSON-Reportparser
INFO: No project configuration file, e.g. pom.xml, *.gradle, *.gradle.kts, package-lock.json found, therefore it isn't possible to correctly link dependencies with files.

Where the project's sonar-project.properties contains the value:

sonar.sources=src,yarn.lock

Describe the solution you'd like

This plugin should support Yarn now that Dependency-Check supports auditing with yarn audit --verbose with the file yarn.lock.

[Reamer]

Hi @quinnturner,
could you please add a small yarn sample project. So that we are able to generate a dependency check report with yarn dependencies.

[bhoudu]

one lazy sidestep is to use https://github.com/imsnif/synp to work with yarn.lock file

[sunmorgus]

Attached is a simple project (hubot, generated using https://github.com/HelloRusk/generator-hubot-yarn) that has a yarn.lock file. The aforementioned project also has a yarn.lock file available for review: https://github.com/HelloRusk/generator-hubot-yarn/blob/master/yarn.lock)

Archive.zip

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

[LvffY]

Is there any update on this ? Or any known workaround ?

[DPirate]

hello, any update regarding this?

[cpoftea]

Encountered the same issue. Up

[obriat]

Same with php's composer.lock (experimental).
This plugin should add a dummy language for thoses files in order to be reported in sonar.
Related to #677

[obriat]

Sonarqube support suggests to "add **/*.lock &etc to the Administration → Languages → Secrets → List of file path patterns"
https://community.sonarsource.com/t/depency-check-and-files-indexed-with-no-language/114604
But it should be cleaner that this plugin provide a specific ".lock" language so lock files will be available into sonar reports
[Edit]
Incorrect solution this settings is about excluding binary files :(

IMHO this plugin should provide a way to force sonar to follow all untracked files returns by depency-check analysis, a failsafe dummy language ?