trivy icon indicating copy to clipboard operation
trivy copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

fix(gradle): exclude dev dependencies while scanning

Open sneaky-potato opened this issue 7 months ago • 2 comments

Description

We need to mark development dependencies while scanning gradle lockfiles so that they are not included in the final scans

Related issues

  • Close #8755

Checklist

  • [x] I've read the guidelines for contributing to this repository.
  • [x] I've followed the conventions in the PR title.
  • [x] I've added tests that prove my fix is effective or that my feature works.
  • [ ] I've updated the documentation with the relevant information (if needed).
  • [ ] I've added usage information (if the PR introduces new options)
  • [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).

sneaky-potato avatar May 01 '25 06:05 sneaky-potato

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar May 01 '25 06:05 CLAassistant

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

CLAassistant avatar May 01 '25 06:05 CLAassistant

@sneaky-potato thanks for your work!

Do you have time to create one more PR with update for docs (i mean java page). We write information about support of --include-dev-deps flag for languages (e.g. for yarn, pnpm) If you don't have time - simple tell me, i will do that myself.

Regards, Dmitriy

DmitriyLewen avatar May 05 '25 16:05 DmitriyLewen

Hi @DmitriyLewen, sure I can update the docs. Do you mean to update the information about the --include-dev-deps flag when using the cli? I can see the following description on using the --help flag

$ ./trivy fs . --help | grep include-dev-deps
      --include-dev-deps            include development dependencies in the report (supported: npm, yarn)

EDIT: I read your edited response just now, will look into the java page that you have linked Shall I put information about the --include-dev-deps flag under Gradle.lock section

sneaky-potato avatar May 05 '25 16:05 sneaky-potato

Shall I put information about the --include-dev-deps flag under Gradle.lock section

Absolutely right.

UPD: also make sense to add gradle into flag description - https://github.com/aquasecurity/trivy/blob/4a38d0121baf7d8978cb0e107180efeee2c7dee3/pkg/flag/package_flags.go#L13

DmitriyLewen avatar May 05 '25 16:05 DmitriyLewen

Hi please find the PR for updating docs here: #8830

sneaky-potato avatar May 06 '25 11:05 sneaky-potato