You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, I'm not sure yet whether this should be seen as a question, request or bug report.
I've noticed that DT lists package-lock.json as a component. It kind of makes sense when looking at the dependency tree, but otherwise it's not really a component of the app. It also does not have any license information and hence gets flagged as unresolved.
I don't know if the license would be picked up if I had any in my package.json, but if it did it would be a non-free license (company internal) and then show up as a false positive policy violation.
It might also just be an issue with trivy, which generated:
I'm not sure if it should be a component at all. If so, shouldn't it have the name of my app instead of package-lock.json?
Given that it makes sense to have this at all - I'd need a way to tell DT that this is my component and that the license information of this very component is to be ignored (not its children, though).
It might suffice if in the policy editor I'd be able to add a condition like componentName != package-lock.json. But there currently doesn't seem to a way to use component names in conditions.
Current Behavior
Hi, I'm not sure yet whether this should be seen as a question, request or bug report.
I've noticed that DT lists
package-lock.json
as a component. It kind of makes sense when looking at the dependency tree, but otherwise it's not really a component of the app. It also does not have any license information and hence gets flagged as unresolved.I don't know if the license would be picked up if I had any in my package.json, but if it did it would be a non-free license (company internal) and then show up as a false positive policy violation.
It might also just be an issue with trivy, which generated:
Proposed Behavior
I'm not sure if it should be a component at all. If so, shouldn't it have the name of my app instead of package-lock.json?
Given that it makes sense to have this at all - I'd need a way to tell DT that this is my component and that the license information of this very component is to be ignored (not its children, though).
It might suffice if in the policy editor I'd be able to add a condition like
componentName != package-lock.json
. But there currently doesn't seem to a way to use component names in conditions.Checklist
The text was updated successfully, but these errors were encountered: