Make Gemnasium scan, report PHP Composer dev dependencies

Release notes

N/A

Problem to solve

Gemnasium doesn't scan development dependencies of PHP Composer, but it scans dev. dependencies of npm, yarn, and Ruby bundler projects. This behaviour is inconsistent.

Proposal

• Change the dependency file parser that handles composer.lock to make it process both packages and packages-dev when opts.IncludeDev is set to true. This is a trivial change since both share the same JSON structure, and packages is already parsed.
• Update the expected report for the tests/php-composer test project; it already contains development dependencies.

Further details

The file parser currently ignores packages-dev. See scanner/parser/composer/composer.go.

We already have a test project with dev. dependencies. See composer.json and composer.lock. Its dev dependencies are not reported. See expected report.

Implementation Plan

• Update composer.Document with a new field: PackagesDev []Package json:`"packages-dev"`
• Update composer.Parse to include the dev packages only if opts.IncludeDev is set to true.
• Update composer_test.go to test exclusion of dev packages when opts.IncludeDev is set to false.
• Update integration test in gemnasium_image_spec.rb to include test cases when including and not including dev packages.

/cc @gonzoyumo @NicoleSchwartz

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.