Why does Aikido not find a specific vulnerability or CVE inside a dependency

In some cases Aikido will show less vulnerabilities than other tools. This can have multiple explanations:

• The vulnerability is auto-ignored by the Aikido rule engine. Aikido tries to avoid false postivies. In this case you will find the vulnerability under the 'Ignored' view in the sidebar. You'll also find an explanation of why Aikido thinks this vulnerability does not impact you.

• The vulnerability could be marked as a developer-only dependency. By default, Aikido will not report vulnerabilities for dependencies that are only installed on the developer machine. The assumption here is that they will not ship to production and won't impact the security of your live product. Examples of such dependencies are:

  • Dev dependencies in npm's package.json

  • dependencies marked with scope=test in Java's pom.xml