If you're facing an inflight vulnerability from a veracode (or any other SCA tool) scan, then it probably comes from eslint package. This might not be the case for all scenarios but the SCA tool typically shows you a dependancy graph where you can drill down on the involved packages. In the case that it is eslint for you then here's the fix that clears the SCA scan error:
You probably have eslint under the dependancies section in the package.json (of course, duuh). Just move the eslint package into the devDependancies because that is where it belongs in the first place. The SCA tool knows that as a dev dependancy, it is only used for the development phase and will not affect the production code.
As always, I hope this helps someone 😌.
Top comments (1)
Please let me know if this workaround will work with Sonatype-(Nexus scan) report generation as well ? @thecodeinfluencer