How do I resolve the “Unable to determine Package-URL identifiers…” warning

Question

I am scanning my Node.js application with OWASP Dependency Check and got an “Unable to determine Package-URL identifiers for [count] dependencies” warning. How do I resolve this issue?

Answer

Applications that use npm for package management define the required dependencies in the package.json file. However since a range of acceptable versions for each dependency may be specified in the package.json file, it is not sufficient to identify the version of each dependency that is actually being used.

The package-lock.json file (or yarn.lock file if using Yarn for package management) must be scanned by Dependency Check to be able to correctly identify the versions of the dependencies used and determine if there are known vulnerabilities in those dependencies. Without the package-lock.json file, there may be false negatives. It is also strongly recommended that the package-lock.json file be checked into the code repository if you are not doing so already.

If you do not have a package-lock.json file, you can generate one with the following command:

npm install