I have a large project which includes a front end portion downloading dependencies through NPM/Yarn and was looking for security vulnerability scanning for these third party dependencies defined in package.json.
I am already aware of options such as Snyk, retireJS, NSP (now acquired by NPM) and the like, however was wondering whether there is a decent plugin which I can use to add to SonarQube. The idea would be to scan the list of dependencies, check it with a CVE database and generate an HTML report with the vulnerabilities identifying the level of risk for each one of them.
Thanks
