I have a large project which includes a front end portion downloading dependencies through NPM/Yarn and was looking for security vulnerability scanning for these third party dependencies defined in package.json.
I am already aware of options such as Snyk, retireJS, NSP (now acquired by NPM) and the like, however was wondering whether there is a decent plugin which I can use to add to SonarQube. The idea would be to scan the list of dependencies, check it with a CVE database and generate an HTML report with the vulnerabilities identifying the level of risk for each one of them.
Thanks
How about using OWASP Dependency Check and integrate the report into SonarQube using this plugin?
It would be using the info from NSP and RetireJS to do the scan.