aquasecurity
refactor: include/exclude dev deps in analyzers
Description
Move dev(test) dependencies inclusion/exclusion in analyzers. See #7476 for more details.
Related issues
- Close #7476
Checklist
- [x] I've read the guidelines for contributing to this repository.
- [x] I've followed the conventions in the PR title.
- [x] I've added tests that prove my fix is effective or that my feature works.
- [ ] I've updated the documentation with the relevant information (if needed).
- [ ] I've added usage information (if the PR introduces new options)
- [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).
@DmitriyLewen https://github.com/aquasecurity/trivy/commit/2d97700d10665142d2f66d7910202bec82116209 caused a major regression for us, in that it appears --include-dev-deps was never wired through, and maven test dependencies are therefore included by default. Will it be fixed in this PR? IMO it's worthy of a hotfix as we had to downgrade to stop all of our builds producing hundreds of test CVEs
Hello @coheigea yeah, this PR contains fix for that (https://github.com/aquasecurity/trivy/pull/7484/commits/dba9f9f7f03afe6dd3cb111e3a14bcb050233303)
Can you test these changes in your project?
Thanks @DmitriyLewen , with the PR it doesn't scan test dependencies by default any more.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
We need to take the flag into account for cache key calculation.
I didn't change the key for the cache - because all analyzers don't work for the image mod. But since we are now talking about the ability to enable/disable analyzers (#3987) - this will be useful, thanks. updated in https://github.com/aquasecurity/trivy/pull/7484/commits/18c4b678b9ccbf98307c1575098cea0a9077d0da
Also, some more analyzers support development dependencies now.
Updated missing analyzers.