Support to exclude scope for Maven Projects like compile, runtime, provided or test in Syft

[arkajnag23]

What happened: Not able to find any support to decide or exclude what scope to be included for scanning.

What you expected to happen:
Support like how we have in Maven arguments -DincludeCompileScope=true -DincludeProvidedScope=false -DincludeRuntimeScope=true -DincludeTestScope=false

Steps to reproduce the issue:

Anything else we need to know?:

Environment:

• Output of syft version: release tag='v1.11.0' version='1.11.0' os='linux' arch='amd64'
• OS (e.g: cat /etc/os-release or similar):

[kzantow]

I think this is a great idea and there are a couple paths forward.

One path is more complicated: capture java relationships for these dependencies (we are going to do this, anyway) but capture additional information including the dependency scope, and post-process relationships to exclude "development" scoped dependencies. This has the benefit that NPM has a similar issue where devDependencies often want to be excluded and could share some general logic to exclude these development-only dependencies. But there are plenty of questions with this approach, and I don't think it's going to be done in this manner especially soon.

Another path is fairly simple: we have some maven configuration (and the CLI configuration), we could simply add a MavenExcludeScopes []string property, which would map to environment variable SYFT_JAVA_MAVEN_EXCLUDE_SCOPES and when syft reads the dependencies, check the scope and exclude them and you could accomplish this more-or-less like:

SYFT_JAVA_MAVEN_EXCLUDE_SCOPES=test,runtime syft ...

Does this sound like something that would work for you?

[arkajnag23]

Yes @kzantow this sounds good with the second approach... It's not only scope exclusion, but providing support to exclude groups or artifacts IDs , is a great benefit to Maven Users.

[albert0815]

I would like to add my point of view to this issue. For me it would be useful to be able to differentiate between direct test dependencies and the test dependencies of the direct dependencies. I am actually interested in my test dependencies (e.g. in terms of identifying vulnerabilities or to be able to check for updates for those test dependencies). But I am not interested in the test dependencies of the transitive dependencies because I will not be in touch with them, they are not part of my build process or of my runtime environment. My direct test dependencies are part of my build process so I want to be able to report them without having the test dependencies of the transitive dependencies.

Just excluding certain scopes would not fully allow for this use case. Please consider a solution which would allow for reporting all direct and only transitive compile dependencies.