Add ability to optionally ignore dev dependencies in Poetry projects

Release notes

TODO

Problem to solve

When Dependency Scanning runs on Poetry projects, it will always include development dependencies. NPM projects with dependency scanning respect the option to include or exclude devDependencies. This was done to provide the ability to view what issues exist only within production. For Poetry, this would be the results of production installs i.e. poetry install --no-dev. This issue aims to bring optional development dependency inclusion to Poetry dependency scanning.

For additional context, the Poetry package manager propagates the dev context when resolving transitive dependencies. This is supported by the pyproject.toml and poetry.lock found in the python-poetry project. The pyproject.toml file only includes the pytest dev dependency but the lock file includes pytest and all of it's dependencies as dev dependencies.

Intended users

• Sasha (Software Developer)
• Priyanka (Platform Engineer)
• Sam (Security Analyst)
• Alex (Security Operations Engineer)

Proposal

• Add Category to poetry.docPackage to capture package category.
• Update poetry.Parse to only add a development dependency if the opts.IncludeDev is true.

Documentation

• Update the documentation in Configuring specific analyzers used by dependency scanning to mention support for Poetry projects.

Availability & Testing

• Poetry unit tests should be updated to include cases where the IncludeDev option is set to false.
• Poetry integrations tests should be updated to include cases where DS_INCLUDE_DEV_DEPENDENCIES is set to false.

Implementation Plan

• Update Gemnasium
  • Add Category to poetry.docPackage to capture package category.
  • Update poetry.Parse to skip if opts.IncludeDev is false and pkg.Category == "dev".
  • Add unit tests to the poetry parser to verify that the category field is extracted.
  • Update Poetry integrations tests to test DS_INCLUDE_DEV_DEPENDENCIES="false".
• Update Documentation in Configuring specific analyzers used by dependency scanning to mention support for optionally including development dependencies found in poetry.lock files.