- SQ version:
Community v25.5.0.107428, Dependency Check plugin v.5.0.0 Docker- What are you trying to achieve:
I scan a project that has two package-lock.json. One is located at thefrontend/package-lock.jsonpath and one is located at thebackend/package-lock.jsonpath.
This is the part of json report file which shows where the vulnerable library was detected:
{
"evidenceCollected": {
"productEvidence": [
{
"confidence": "HIGHEST",
"name": "name",
"source": "package.json",
"type": "product",
"value": "store2"
}
],
"vendorEvidence": [
{
"confidence": "HIGH",
"name": "name",
"source": "package.json",
"type": "vendor",
"value": "store2"
}
],
"versionEvidence": [
{
"confidence": "HIGHEST",
"name": "version",
"source": "package.json",
"type": "version",
"value": "2.14.2"
}
]
},
"fileName": "store2:2.14.2",
"filePath": "/code/source/frontend/package-lock.json?store2",
"isVirtual": true,
"packages": [
{
"confidence": "HIGHEST",
"id": "pkg:npm/store2@2.14.2",
"url": "https://ossindex.sonatype.org/component/pkg:npm/store2@2.14.2?utm_source=dependency-check&utm_medium=integration&utm_content=12.1.0"
}
],
. . .
. . .
. . .
Also a screen of the html report file:
If I look at the issue from the project’s sonarqube issue dashboard the issue is assigned to package-lock.json located at backend/package-lock.json.
Another screenshot of some vulnerable libraries with wrong file path:
- What have you tried so far to achieve this
I looked to see if there were any settings I could change on the sonarqube/plugin side of the dependency-check but couldn’t find anything.