Add ability to optionally ignore dev dependencies in Bundler projects
Release notes
TODO
Problem to solve
When Dependency Scanning runs on Bundler projects, it does not capture the dependency group and as a result includes dependencies of all groups. In contrast, NPM projects with dependency scanning will determine if a package is part of dependencies
or devDependencies
. The gemnasium analyzer will include devDependencies
if and only if the option to do so is enabled. To prevent feature drift, Bundler should also support optionally installing the development group of dependencies.
Intended users
- Sasha (Software Developer)
- Priyanka (Platform Engineer)
- Sam (Security Analyst)
- Alex (Security Operations Engineer)
Proposal
When gemansium
runs with the DS_INCLUDE_DEV_DEPENDENCIES="false"
variable value it should exclude any dependencies that belong to the dev
, development
, or test
group.
Documentation
- Update the documentation in Configuring specific analyzers used by dependency scanning to mention support for Bundler projects. It should mention the groups that are considered by this option.
Availability & Testing
- Update Bundler unit tests that cover the cases where
DS_INCLUDE_DEV_DEPENDENCIES
is set totrue
andfalse
. -
Bundler integration tests should be updated to include cases where
DS_INCLUDE_DEV_DEPENDENCIES
is set tofalse
.
Edited by Oscar Tovar