Hello everyone, hoping someone here can clarify my lack of understanding.
Context: Running SAST scan locally through nexus-iq-cli on a web project (using react). Had a bunch of transitive vulnerabilities show up with react-scripts, addressed issue by moving import from dependencies to devDependencies (as devDependencies are not picked up on sonatype scan)
Issue 1: Moving react-scripts from dependencies to devDependencies changed the vulnerabilities type from transitive to blank (Not sure what this indicates, could use an explanation). Why are vulnerabilities still picked up on the scan?
Before (Shown as transitive issues)- > After (moving react-scripts to devDep section of package.json file, now no longer transitive issues):