NPM dependencies

By default, OpenText SAST does not report issues in NPM dependencies (files in the node_modules directory). This is configured with the com.fortify.sca.exclude.node.modules property, which is set to true by default.

OpenText does not recommend using the -exclude option to exclude node modules if com.fortify.sca.exclude.node.modules is set to true, because it can change the quality of the results.

See Also

Examples of Excluding node_modules Dependencies