It would appear that if a maven project has more than just Java bits, the dependency check plugin doesn't take those extra parts into consideration.
For example, Apache Hadoop has a package.json that doesn't seem to be getting found despite being in a directory that is part of the (default) scan set.
This is obviously bad for two reasons:
a) To get a complete audit, one is running both the maven plugin and the standalone version on a source tree, doubling the amount of time/resources required
b) Users may be led into a false sense of security because they may believe the maven plugin is actually checking everything.
It would appear that if a maven project has more than just Java bits, the dependency check plugin doesn't take those extra parts into consideration.
For example, Apache Hadoop has a package.json that doesn't seem to be getting found despite being in a directory that is part of the (default) scan set.
This is obviously bad for two reasons:
a) To get a complete audit, one is running both the maven plugin and the standalone version on a source tree, doubling the amount of time/resources required
b) Users may be led into a false sense of security because they may believe the maven plugin is actually checking everything.