Does JFrog Xray scan package.json dependencies for vulnerable packages?

2
votes

I'm testing out JFrog Xray combined with Artifactory, and have deployed a nodejs npm project as a build to Artifactory, which then has been scanned by Xray. (Using this guide)

In my package.json I've included a dependency I know have a vulnerability(lodash 4.17.10). When I view the project in Xray, the status is "Scanned - no issues". I'd also expect to see the project dependencies from Xray, but I don't see any of these.

Should I be able to see the dependencies for the npm build? As the project depends on a vulnerable package, I think it's strange that Xray say there is no issues.

1
npmartifactoryjfrog-xray

1 Answers

2
votes

When you run Npm install command via the Npm client, it resolves the package.json dependencies from Artifactory Npm Repo, these resolved dependencies will be scanned automatically by Xray if the Npm repo has been marked for indexing (scanning).

Please add more details on how did you deployed your project and resolved its dependencies.