I'm testing out JFrog Xray combined with Artifactory, and have deployed a nodejs npm project as a build to Artifactory, which then has been scanned by Xray. (Using this guide)
In my package.json I've included a dependency I know have a vulnerability(lodash 4.17.10). When I view the project in Xray, the status is "Scanned - no issues". I'd also expect to see the project dependencies from Xray, but I don't see any of these.
Should I be able to see the dependencies for the npm build? As the project depends on a vulnerable package, I think it's strange that Xray say there is no issues.