Include option to exclude some maven test dependencies from the build-info #1893
Comments
shashwathrai
changed the title
shashwathrai
changed the title
|
Hi @shashwathrai, The build-info represents the actual status of the build and therefore excluding information from it would impact its reliability. |
|
We have the same need. Our customers don't want to get security violations from xray scanning (jfrog build-scan) on test dependencies. |
|
We run into the same problem. We want to provide a build info for our SAAS components in Artifactory and the result of the JFrog CLI Build information contains test dependencies even when the test compile is skipped with the Maven paramerter "-Dmaven.test.skip=true". The result can therefore not be used to create a SBOM through Artifactory for a deliverable artifact. In addition we want to know security implications of our deliverables in our SAAS context. Test components are a nice to know but should not let our builds fail. With an option to enable or disable test components we could separate such an information. Another addition is that the build info also lists provided components. It should be an option to skip those as well. Example: We want to create a SBOM for a customer that gets some kind of deliverable. It should only contain artifacts that are actually delivered and not parts that are part of the customers existing infrastructure / runtime. |
|
Like @wilvdb's customers, our developers don't want their builds to fail because of security issues in test dependencies. |
Is your feature request related to a problem? Please describe.
Include an option to exclude some maven dependencies based on scope(Eg: test) from the build-info being pushed to Artifactory.
Describe the solution you'd like to see
We would like to have an option in jfrog-cli to exclude maven test dependencies from the build-info.
Describe alternatives you've considered
NA
Additional context
NA
The text was updated successfully, but these errors were encountered: