Why does Aikido not find a specific vulnerability or CVE inside a dependency?
In some cases Aikido will show less vulnerabilities than other tools. This can have multiple explanations:
The vulnerability is auto-ignored by the Aikido rule engine. Aikido tries to avoid false postivies. In this case you will find the vulnerability under the 'Ignored' view in the sidebar. You'll also find an explanation of why Aikido thinks this vulnerability does not impact you.
The vulnerability could be marked as a developer-only dependency. By default, Aikido will not report vulnerabilities for dependencies that are only installed on the developer machine. The assumption here is that they will not ship to production and won't impact the security of your live product. Examples of such dependencies are:
Dev dependencies in npm's package.json
dependencies marked with scope=test in Java's pom.xml
It is possible to have Aikido scan voor dev dependencies. For this you will need to contact us via chat to enable this functionality.