Make Gemnasium scan, report Sbt dependencies of all scopes

Make Gemnasium scan, report PHP Composer dev dependencies

Release notes

TODO

Problem to solve

Gemnasium only scans Sbt dependencies that belong to the compile scope; other (Maven) scopes like runtime and test are ignored. This behaviour is incconsistent since gemnasium-maven scans all dependencies of other Java projects:

• all dependency configurations of Gradle projects, including implementation, runtime, and test
• all Maven scopes of Maven projects, including runtime and test

See https://www.scala-sbt.org/0.13/docs/Library-Management.html

Proposal

In gemnasium-maven, change the sbt builder to run the dependencyDot task for each scope, and collect all generated DOT exports when DS_INCLUDE_DEV_DEPENDENCIES is set to true. See builder/sbt/sbt.go and sbt.Builder.Configure.

Further details

gemnasium-maven simply runs sbt dependencyDot task, and this builds a graph that only contains compile dependencies. See https://github.com/sbt/sbt-dependency-graph:

If you don't specify any configuration, compile is assumed as usual.

Implementation

• Update the sbt builder so that it uses the args: compile:dependencyDot, runtime:dependencyDot, test:dependencyDot.
• Update exportpath.ExtractSbt so that it returns all three dependency graphs. Since this depends on the exportpath.Split function and the function allows only one file in the root directory, it will need to be updated. Alternatively, exportpath.ExtractSbt can use a different function exportpath.SplitSbt that allows for more than one file in the root directory.
• Update the sbt.Parse function so that it parses the compile graph if the DS_INCLUDE_DEV_DEPENDENCIES is false. Otherwise, it should parse the test graph.
• Update the dependency scanning documentation so that it mentions sbt projects as supporting excluding test dependencies.

/cc @gonzoyumo @NicoleSchwartz

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.