Add ability to optionally ignore dev dependencies in Gradle projects

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Release notes

TODO

Problem to solve

When Dependency Scanning runs on Gradle projects, it does not capture the dependency type and as a result includes all dependencies. In contrast, NPM projects with dependency scanning will determine if a package is part of dependencies or devDependencies, and the analyzer will include devDependencies, if and only if, the option to do so is enabled. To prevent feature drift, Gradle should also support optionally installing the development group of dependencies.

Intended users

• Sasha (Software Developer)
• Priyanka (Platform Engineer)
• Sam (Security Analyst)
• Alex (Security Operations Engineer)

Proposal

When gemansium runs with the DS_INCLUDE_DEV_DEPENDENCIES="false" variable value it should exclude any dependencies that belong to non-default dependency types. The gemnasium-gradle-plugin should be updated to include this information as it will be required.

Documentation

• Update the documentation in Configuring specific analyzers used by dependency scanning to mention support for Gradle projects. It should mention the groups that are considered by this option.

Availability & Testing

TODO