With the release of Dependency-Check v6.1.0 (and subsequent fixes in v6.1.1), Yarn auditing is supported natively.
In this plugin, the logs that I receive during my CI pipeline suggest that Yarn is not directly supported.
INFO: Sensor Dependency-Check [dependencycheck]
INFO: Process Dependency-Check report
INFO: Using JSON-Reportparser
INFO: No project configuration file, e.g. pom.xml, *.gradle, *.gradle.kts, package-lock.json found, therefore it isn't possible to correctly link dependencies with files.
Where the project's sonar-project.properties contains the value:
sonar.sources=src,yarn.lock
Describe the solution you'd like
This plugin should support Yarn now that Dependency-Check supports auditing with yarn audit --verbose with the file yarn.lock.
With the release of
Dependency-Checkv6.1.0 (and subsequent fixes in v6.1.1), Yarn auditing is supported natively.In this plugin, the logs that I receive during my CI pipeline suggest that Yarn is not directly supported.
Where the project's
sonar-project.propertiescontains the value:Describe the solution you'd like
This plugin should support Yarn now that
Dependency-Checksupports auditing withyarn audit --verbosewith the fileyarn.lock.