Add ability to optionally ignore dev dependencies in Bundler projects

Release notes

TODO

Problem to solve

When Dependency Scanning runs on Bundler projects, it does not capture the dependency group and as a result includes dependencies of all groups. In contrast, NPM projects with dependency scanning will determine if a package is part of dependencies or devDependencies. The gemnasium analyzer will include devDependencies if and only if the option to do so is enabled. To prevent feature drift, Bundler should also support optionally installing the development group of dependencies.

Intended users

• Sasha (Software Developer)
• Priyanka (Platform Engineer)
• Sam (Security Analyst)
• Alex (Security Operations Engineer)

Proposal

When gemansium runs with the DS_INCLUDE_DEV_DEPENDENCIES="false" variable value it should exclude any dependencies that belong to the dev, development, or test group.

Documentation

• Update the documentation in Configuring specific analyzers used by dependency scanning to mention support for Bundler projects. It should mention the groups that are considered by this option.

Availability & Testing

• Update Bundler unit tests that cover the cases where DS_INCLUDE_DEV_DEPENDENCIES is set to true and false.
• Bundler integration tests should be updated to include cases where DS_INCLUDE_DEV_DEPENDENCIES is set to false.