Document types of dependencies scanned by Dependency Scanning
Problem to solve
Users of GitLab Dependency Scanning don't know if development dependencies, test dependencies, or other types of dependencies are being scanned.
Further details
The following table captures which types of dependency are scanned by the Gemnasium analyzers:
| Analyzer | Package manager | What is scanned | Everything? | Issue |
|---|---|---|---|---|
| gemnasium | npm | default and dev dependencies | ||
| gemnasium | yarn | default and dev dependencies | ||
| gemnasium | Bundler | any dependency group | ||
| gemnasium | PHP Composer | default dependencies only | #343041 (closed) | |
| gemnasium-maven | Maven | all dependency scopes | ||
| gemnasium-maven | Gradle | all dependency configurations | ||
| gemnasium-maven | Sbt |
compile configuration only |
#343043 | |
| gemnasium-python | pip | N/A | ||
| gemnasium-python | Setuptools | N/A | ||
| gemnasium-python | Pipenv | default and develop dependencies |
See gitlab-com/www-gitlab-com#12428 (closed)
Proposal
Cover the dependency types being scanned in Dependency Scanning user documentation.
Who can address the issue
groupcomposition analysis backend engineers, or anyone who's familiar enough with Dependency Scanning and package managers.
Other links/references
/cc @gitlab-org/secure/composition-analysis-be @NicoleSchwartz @rdickenson