Managing Translation of NPM Dependencies

By default, Fortify Static Code Analyzer translates only the NPM dependencies that are imported in the code. There are three options for managing the translation of NPM dependencies:

• The com.fortify.sca.follow.imports property is enabled by default and directs Fortify Static Code Analyzer to resolve all imported files (including NPM dependencies) used in the project and include them in the translation. For resolution to find imported files within the project, Fortify Static Code Analyzer uses an algorithm similar to Node.js (see the Node.js website for more information).

  Setting this property to false prevents imported NPM dependencies that are not explicitly included on the command-line from being included in the translation.

• The com.fortify.sca.exclude.unimported.node.modules property is enabled by default and directs Fortify Static Code Analyzer to exclude node_modules directories that are not referenced by the project. This property is enabled by default to avoid translating dependencies that are not needed for the final project such as those only required for the build system.

  Setting this property to false causes Fortify Static Code Analyzer to include in the translation all modules discovered during resolution (with the com.fortify.sca.follow.imports property enabled) that are not referenced by the project.

• You can use the -exclude option together with the two properties listed previously to specifically exclude modules.

  Use of this option takes precedence over the previously described property configurations.

See Also

Examples of Excluding NPM Dependencies