Hey guys,
we are using stackrox 4.10.0 to check our kubernetes environment for CVEs. We are building SPAs with Angular and copy the generated JS/HTML into NGINX images.

Package.json on nginx
When we also put the package.json and package-lock.json into the root folder of the NGINX image, then no CVEs from the JavaScript/TypeScript workloads appear. We expect to see the same issues in stackrox as in trivy during the build of angular. We only see the issues from the underlying linux.

We are seeing this as well with .net images (where the .net dlls in a dotnet baseimage won't trigger any CVE alerts, only the issues from the underlying linux are shown.).

As we are just starting with stackrox, this could be a configuration mistake as well.

Example Dockerfile:

FROM corporateregistry,io/baseimages/nginx:latest
ARG NGINX_CONFIG_PATH=./workspace/nginx/default/default.conf
ARG APP_NAME=startseite
ARG APP_ROOTFOLDER=./workspace/dist/apps/

EXPOSE 8080

ENV APP_NAME=${APP_NAME}
ENV NGINX_ENVSUBST_TEMPLATE_DIR=/usr/share/nginx/html/browser/assets
ENV NGINX_ENVSUBST_OUTPUT_DIR=/usr/share/nginx/html/browser/assets
ENV NGINX_ENVSUBST_TEMPLATE_SUFFIX=.template

COPY ./workspace/package.json /package.json
COPY ./workspace/package-lock.json /package-lock.json
COPY ${NGINX_CONFIG_PATH} /etc/nginx/conf.d/
COPY ${APP_ROOTFOLDER}/${APP_NAME} /usr/share/nginx/html

Thanks in advance