Yarn Audit Analyzer disabled but failed to initialize

[breizh31]

Hello,

With DependencyCheck cli 12.0.1.

On my DependencyCheck server, yarn is not installed. It is correctly detected and managed by DependencyCheck:
[WARN] The Yarn Audit Analyzer has been disabled. Yarn executable was not found.

Dibaled, perfect. But just after:
[ERROR] Exception occurred initializing Yarn Audit Analyzer.

Why trying to intialize a disabled Analyzer ? And then failed the cli:
[ERROR] Unable to read yarn audit output. script returned exit code 14

It doesn't sound very logical to me.

Regards

[jeremylong]

If you scan a project that has a yarn.lock and yarn is not installed what you are describing is expected behavior. If we are supposed to scan for vulnerabilities in the yarn ecosystem and yarn isn't installed this is an exceptional condition. Technically, we could get rid of the warning, or maybe move it to debug logging. But this is expected behavior.

[breizh31]

Hello @jeremylong ,

Thanks for your answer, and especially for your excellent work on vulnerability. From my point of view, a WARN rather than an ERROR, would be less disturbing. But it doesn't really matters for me, i will install yarn on my containers running DependencyCheck because i want a full vulnerability analysis.

I am much more annoyed by #7337

Have a nice day,