Add ability to optionally ignore dev dependencies in Setuptools projects

Release notes

TODO

Problem to solve

When Dependency Scanning runs on Setuptools projects, it does not include development dependencies. In contrast, NPM projects with dependency scanning will include devDependencies if the option to do so is enabled. To prevent feature drift, Pipenv should also support for optionally installing development dependencies.

Intended users

• Sasha (Software Developer)
• Priyanka (Platform Engineer)
• Sam (Security Analyst)
• Alex (Security Operations Engineer)

Proposal

• Update setuptools.Build so that it implements the Configurable interface.
  • The setuptools.Builder should have an IncludeDev bool field.
  • In the Configure(ctx *cli.Context) implementation, it should configure the builder by utilizing the DS_INCLUDE_DEV_DEPENDENCIES value.
• Update setuptools.Build so that it installs development dependencies only if b.IncludeDev is true.

Documentation

• Update the documentation in Configuring specific analyzers used by dependency scanning to mention support for Setuptools projects.

Availability & Testing

• Add Setuptools unit tests that cover both cases where DS_INCLUDE_DEV_DEPENDENCIES is set to true and false.
• Setuptools integration tests should be updated to include cases where DS_INCLUDE_DEV_DEPENDENCIES is set to false.