Managing issue detection in NPM dependencies

By default, OpenText SAST does not report issues in NPM dependencies (files in the node_modules directory). This is configured with the com.fortify.sca.exclude.node.modules property, which is set to true by default.

Setting the com.fortify.sca.exclude.node.modules property to false directs OpenText SAST to use the following options, which determines what results to report for NPM dependencies:

The com.fortify.sca.follow.imports property is enabled by default and directs OpenText SAST to resolve all imported files (including NPM dependencies) used in the project and include them in the translation and the subsequent analysis. For resolution to find imported files within the project, OpenText SAST uses an algorithm similar to Node.js (see the Node.js website for more information).
Setting this property to false prevents imported NPM dependencies that are not explicitly included on the command-line from being included in the translation and analysis.
The com.fortify.sca.exclude.unimported.node.modules property is enabled by default and directs OpenText SAST to exclude node_modules directories that are not referenced by the project. This property is enabled by default to avoid translating dependencies that are not needed for the final project such as those only required for the build system.
Setting this property to false causes OpenText SAST to include in the translation (and subsequent analysis) all modules discovered during resolution (with the com.fortify.sca.follow.imports property enabled) that are not referenced by the project.

You can use the -exclude option together with the two properties listed previously to specifically exclude modules. Use of this option takes precedence over the previously described property configurations.

OpenText does not recommend using the -exclude option to exclude node modules if com.fortify.sca.exclude.node.modules is set to true, because it can change the quality of the results.