owasp-dependency-check: JavaScript code is not analyzed

Question

I am trying to use the NPM module owasp-dependency-check in order to highlight possible vulnerabilities in the code of my web project. I have installed version 0.0.18, the latest.

I want to analyse the custom code I wrote (directory src) and the libraries my project depends on (directory node_modules).

The task in package.json (section scripts) reads:

"test:dependency": "owasp-dependency-check --project \"MY_PROJECT\" --scan \"src\" --scan \"node_modules\" --exclude \"dependency-check-bin\" --out \"owasp\" --format HTML"

After the launch, it seems that the instructions have been specified correctly:

owasp-dependency-check: Running the dependency check ...
/home/workspace/MY_PROJECT/dependency-check-bin/dependency-check/bin/dependency-check.sh --out=owasp --project MY_PROJECT --scan src --scan node_modules --exclude dependency-check-bin --format HTML --data=/tmp/dependency-check-data

After about 10 minutes of execution, I find a file owasp/dependency-check-report.html with size of 61MB (!?!). I view it in the browser and it contains the analysis of the sole directory dependency-check-bin, which is the directory where the owasp-dependency-check NPM module installs some executables and which I explicitly try to skip in the analysis.

(ironically, there are 6 medium-to-critical vulnerabilities in the libraries that the dependency checker itself uses...)

My question is: what is wrong with my task definition in package.json? How should I invoke owasp-dependency-check in order to scan node_modules and src?

Answer 1

The answer was given to me by one of the maintainers of the NPM module.

In the case of JavaScript the scan does not involve directories, but the single package-lock.json file.

The correct task definition is therefore:

"test:dependency": "owasp-dependency-check --project \"MY_PROJECT\" --scan \"package-lock.json\" --exclude \"dependency-check-bin\" --out \"owasp\" --format HTML"