Add comments

xray/commands/audit/scarunner.go

@@ -97,9 +97,11 @@ func runScaScanOnWorkingDir(params *AuditParams, results *Results, workingDir, r
 		}
 		techResults = sca.BuildImpactPathsForScanResponse(techResults, fullDependencyTrees)
 		var directDependencies []string
-		if tech == coreutils.Pip || params.thirdPartyApplicabilityScan {
+		if tech == coreutils.Pip || (params.thirdPartyApplicabilityScan && tech == coreutils.Npm) {
 			// When building pip dependency tree using pipdeptree, some of the direct dependencies are recognized as transitive and missed by the CA scanner.
 			// Our solution for this case is to send all dependencies to the CA scanner.
+			// When thirdPartyApplicabilityScan is true, use flatten graph to include all the dependencies in applicability scanning.
+			// Only npm is supported for this flag.
 			directDependencies = getDirectDependenciesFromTree([]*xrayCmdUtils.GraphNode{flattenTree})
 		} else {
 			directDependencies = getDirectDependenciesFromTree(fullDependencyTrees)