Add ability to optionally ignore dev dependencies in Pipenv projects

Release notes

N/A

Problem to solve

When Dependency Scanning runs on Pipenv projects, it will always include development dependencies it will never include development dependencies. In contrast, NPM projects with dependency scanning will dynamically include devDependencies if the option to do so is enabled. To prevent feature drift, Pipenv should also support for optionally installing development dependencies.

Intended users

• Sasha (Software Developer)
• Priyanka (Platform Engineer)
• Sam (Security Analyst)
• Alex (Security Operations Engineer)

Proposal

• Update piplock.Parseso that it only adds a development dependency if opts.IncludeDev is true.

Documentation

• Update the documentation in Configuring specific analyzers used by dependency scanning to mention support for Pipenv projects.

Availability & Testing

• Pipenv unit tests should be updated to include cases where the IncludeDev option is set to false.
• Pipenv integration tests should be updated to include cases where DS_INCLUDE_DEV_DEPENDENCIES is set to false.

Implementation Plan

• Update piplock.Parse to add dependencies in document.Develop only if opts.IncludeDev is true.