Add ability to optionally ignore dev dependencies in Gradle projects
Release notes
TODO
Problem to solve
When Dependency Scanning runs on Gradle projects, it does not capture the dependency type and as a result includes all dependencies. In contrast, NPM projects with dependency scanning will determine if a package is part of dependencies
or devDependencies
, and the analyzer will include devDependencies
, if and only if, the option to do so is enabled. To prevent feature drift, Gradle should also support optionally installing the development group of dependencies.
Intended users
- Sasha (Software Developer)
- Priyanka (Platform Engineer)
- Sam (Security Analyst)
- Alex (Security Operations Engineer)
Proposal
When gemansium
runs with the DS_INCLUDE_DEV_DEPENDENCIES="false"
variable value it should exclude any dependencies that belong to non-default dependency types. The gemnasium-gradle-plugin should be updated to include this information as it will be required.
Documentation
- Update the documentation in Configuring specific analyzers used by dependency scanning to mention support for Gradle projects. It should mention the groups that are considered by this option.
Availability & Testing
TODO
Edited by Oscar Tovar