Add ability to optionally ignore dev dependencies in NuGet projects

Release notes

TODO

Problem to solve

When Dependency Scanning runs on NuGet projects, it does not differentiate development dependencies as it parses lockfiles. In contrast, NPM projects with dependency scanning will determine if a package is part of dependencies or devDependencies. The gemnasium analyzer will include the devDependencies if and only if the option to do so is enabled. To prevent feature drift, NuGet parsing should also support optionally including development dependencies.

Intended users

• Sasha (Software Developer)
• Priyanka (Platform Engineer)
• Sam (Security Analyst)
• Alex (Security Operations Engineer)

Proposal

When gemansium runs with DS_INCLUDE_DEV_DEPENDENCIES="false" it should exclude any dependency that would be included when installing a PackageReference that includes <PrivateAssets>all</PrivateAssets>.

Documentation

• Update the documentation in Configuring specific analyzers used by dependency scanning to mention support for NuGet projects. It should mention that any dependencies that declare <PrivateAssets>all</PrivateAssets> will be included or excluded, along with their transitive dependencies, depending on the value of the DS_INCLUDE_DEV_DEPENDENCIES.

Availability & Testing

• Update NuGet unit tests that cover the cases where DS_INCLUDE_DEV_DEPENDENCIES is set to true and false.
• NuGet integration tests should be updated to include cases where DS_INCLUDE_DEV_DEPENDENCIES is set to false.