Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor: include/exclude dev deps in analyzers #7484

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

refactor: include/exclude dev deps in analyzers #7484

wants to merge 12 commits into from

Conversation

DmitriyLewen
Copy link
Contributor

Description

Move dev(test) dependencies inclusion/exclusion in analyzers.
See #7476 for more details.

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen DmitriyLewen self-assigned this Sep 11, 2024
@DmitriyLewen DmitriyLewen changed the title reafactor: include/exclude dev deps in analyzers refactor: include/exclude dev deps in analyzers Sep 11, 2024
@coheigea
Copy link
Contributor

coheigea commented Sep 11, 2024
edited
Loading

@DmitriyLewen 2d97700 caused a major regression for us, in that it appears --include-dev-deps was never wired through, and maven test dependencies are therefore included by default. Will it be fixed in this PR? IMO it's worthy of a hotfix as we had to downgrade to stop all of our builds producing hundreds of test CVEs

@coheigea coheigea mentioned this pull request Sep 11, 2024
Open
@DmitriyLewen DmitriyLewen marked this pull request as ready for review September 11, 2024 09:05
@DmitriyLewen
Copy link
Contributor Author

Hello @coheigea
yeah, this PR contains fix for that (dba9f9f)

Can you test these changes in your project?

@coheigea
Copy link
Contributor

Thanks @DmitriyLewen , with the PR it doesn't scan test dependencies by default any more.

@DmitriyLewen DmitriyLewen marked this pull request as draft September 11, 2024 09:29
@DmitriyLewen DmitriyLewen marked this pull request as draft September 11, 2024 09:29
@DmitriyLewen DmitriyLewen mentioned this pull request Sep 12, 2024
Merged
9 tasks
DmitriyLewen
DmitriyLewen commented Sep 12, 2024
View reviewed changes
pkg/fanal/analyzer/language/java/pom/pom.go
Comment on lines +32 to +34
if isIntegrationTestDir(filePath) && !a.includeDevDeps {
return nil, nil
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking about moving this check to the Required function.
But it might not be entirely obvious

@DmitriyLewen DmitriyLewen marked this pull request as ready for review September 13, 2024 04:55
@DmitriyLewen DmitriyLewen mentioned this pull request Sep 13, 2024
Draft
7 tasks
@knqyf263 knqyf263 mentioned this pull request Sep 18, 2024
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@DmitriyLewen DmitriyLewen

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

enhancement(report): include/exclude dev deps in analyzers
2 participants
@DmitriyLewen @coheigea