Dependency Scanning

When configuring a scan or analyzing scan results, consider the following about scanning dependency scanning:

•

Dependencies represent open-source packages that are referenced by the scanned codebase, but not necessarily present in the codebase.

•

Dependency scanning is designed to be used when scanning pre-build artifacts, typically found in source-code bundles. Since this scenario relies on package-management configuration files, it is not 100% precise in the resolution of the declared dependencies. In many cases, dependencies will be resolved to the latest available version within the declared range. However, this version can differ from the actual package version pulled down as part of the build.

•

Dependency scanning is not designed for scanning post-build artifacts when using the scan-agent plugins to scan on the build servers as part of the build process. In such scenarios, all dependencies have already been resolved by the build system and are present in the scanned codebase.