In yesterday's webinar, I asked a question about how ARM approached scanning when there are many dynamic dependencies; Sami gave _an_ answer, but I think I wasn't clear, and Sami was answering a different interpretation from the one I intended. I did attempt to clarify after the call on Slack, but Shane suggested posting here. Here's what I put on Slack, and I can expand if it turns out that I'm still muddying the waters…

"Thanks for the response Sami. I think I wasn't clear in my question during the call, but I didn't want to take up extra time, and your response was interesting anyway. :-) In an attempt to rephrase: It's one thing to say "open source must be scanned as it's brought into the org" if you're talking about the open source developers want to use, but with Node.JS, pulling in a single package that the developer wants to use might also bring in hundreds of additional, transitive dependencies that the developer doesn't really care about (React being a classic example). A minor change to the application might change those hundreds of dependencies to a different set of hundreds of dependencies. Do all of those get scanned, too? Are you blocking the developers from using the packages until the scanning is done, or is there a continual background queue of inbound open source that gets scanned asynchronously from the developers' usage?"

steve