You use WhiteSource Bolt to scan a Node.js application.
The WhiteSource Bolt scan identifies numerous libraries that have invalid licenses. The libraries are used only during development and are not part of a production deployment.
You need to ensure that WhiteSource Bolt only scans production dependencies.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Click on the arrows to vote for the correct answer
A. B. C. D.AC
A: To resolve NPM dependencies, you should first run "npm install" command on the relevant folders before executing the plugin.
C: All npm packages contain a file, usually in the project root, called package.json " this file holds various metadata relevant to the project. This file is used to give information to npm that allows it to identify the project as well as handle the project's dependencies. It can also contain other metadata such as a project description, the version of the project in a particular distribution, license information, even configuration data " all of which can be vital to both npm and to the end users of the package.
https://whitesource.atlassian.net/wiki/spaces/WD/pages/34209870/NPM+Plugin https://nodejs.org/en/knowledge/getting-started/npm/what-is-the-file-package-jsonWhiteSource Bolt is a tool that helps to identify and manage open source vulnerabilities in software development projects. In this scenario, you have a Node.js application that uses several libraries during development that have invalid licenses, and you need to ensure that WhiteSource Bolt only scans production dependencies.
There are a few steps you can take to achieve this goal:
Identify the libraries that are only used during development: Review the project's dependencies and determine which ones are only used during development and not part of a production deployment. This will help you to exclude these libraries from the WhiteSource Bolt scan.
Modify the devDependencies section of the project's Package.json file: The devDependencies section in the package.json file contains the libraries that are only required during development. You can remove the invalid licensed libraries from this section to ensure that they are not included in the WhiteSource Bolt scan.
Answer C (Modify the devDependencies section of the project's Package.json file) is a correct answer because it allows you to exclude development dependencies that are not part of the production deployment from the WhiteSource Bolt scan.
Answer A (Run npm install and specify the --production flag) is a correct answer because it allows you to install only the production dependencies and exclude the development dependencies from the WhiteSource Bolt scan.
Answer B (Modify the WhiteSource Bolt policy and set the action for the licenses used by the development tools to Reassign) is a correct answer because it allows you to modify the policy to exclude the invalid licenses of development dependencies or set their action to Reassign.
Answer D (Configure WhiteSource Bolt to scan the node_modules directory only) is a correct answer because it allows you to configure WhiteSource Bolt to scan only the production dependencies by excluding the development dependencies from being scanned.
In summary, the correct answers to ensure that WhiteSource Bolt only scans production dependencies are C (Modify the devDependencies section of the project's Package.json file) and A (Run npm install and specify the --production flag). However, it's also a good practice to modify the policy to exclude development dependencies and configure WhiteSource Bolt to scan only the production dependencies.