Include option to exclude some maven test dependencies from the build-info

[shashwathrai]

Is your feature request related to a problem? Please describe. Include an option to exclude some maven dependencies based on scope(Eg: test) from the build-info being pushed to Artifactory.

Describe the solution you'd like to see We would like to have an option in jfrog-cli to exclude maven test dependencies from the build-info.

Describe alternatives you've considered NA

Additional context NA

[yahavi]

Hi @shashwathrai, Thanks for using the JFrog CLI.

The build-info represents the actual status of the build and therefore excluding information from it would impact its reliability. What is the reason you'd like to achieve this goal?

[wilvdb]

We have the same need. Our customers don't want to get security violations from xray scanning (jfrog build-scan) on test dependencies.

[Hurz]

We run into the same problem. We want to provide a build info for our SAAS components in Artifactory and the result of the JFrog CLI Build information contains test dependencies even when the test compile is skipped with the Maven paramerter "-Dmaven.test.skip=true". The result can therefore not be used to create a SBOM through Artifactory for a deliverable artifact.

In addition we want to know security implications of our deliverables in our SAAS context. Test components are a nice to know but should not let our builds fail. With an option to enable or disable test components we could separate such an information.

Another addition is that the build info also lists provided components. It should be an option to skip those as well. Example: We want to create a SBOM for a customer that gets some kind of deliverable. It should only contain artifacts that are actually delivered and not parts that are part of the customers existing infrastructure / runtime.