Add ability to optionally ignore dev dependencies in Conan projects

Release notes

TODO

Problem to solve

When Dependency Scanning runs on Conan projects, it does not capture the tool_requires or build_requires section and as a result includes testing, linking and compiling dependencies that are not present in the final artificat. In contrast, NPM projects with dependency scanning will determine if a package is part of dependencies or devDependencies. The gemnasium analyzer will include the devDependencies if and only if the option to do so is enabled. To prevent feature drift, Conan should also support optionally installing the tool_requires and build_requires group of dependencies.

Intended users

• Sasha (Software Developer)
• Priyanka (Platform Engineer)
• Sam (Security Analyst)
• Alex (Security Operations Engineer)

Proposal

When gemansium runs with the DS_INCLUDE_DEV_DEPENDENCIES="false" variable value it should exclude any dependencies that have been listed in build_requires and tool_requires.

Documentation

• Update the documentation in Configuring specific analyzers used by dependency scanning to mention support for Conan projects. It should mention the groups that are considered by this option: build_requires and tool_requires.

Availability & Testing

• Update Conan unit tests that cover the cases where DS_INCLUDE_DEV_DEPENDENCIES is set to true and false.
• Conan integration tests should be updated to include cases where DS_INCLUDE_DEV_DEPENDENCIES is set to false.