jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.41k stars 1.27k forks source link

Need to scan dev packages in composer.lock #7095

Open mlw157 opened 1 week ago

mlw157 commented 1 week ago

Is your feature request related to a problem? Please describe. There is a few projects i'm working on where its important to be able to scan development packages in composer files (packages-dev array), but dependecy check currently only parses packages in the packages array.

Describe the solution you'd like A possible flag or argument that could be passed that enables the packages-dev array to be parsed by dependecy check.

Describe alternatives you've considered A possible work-around is after using checkout, modifying the composer.lock file to rename packages-dev to packages, which will make dependecy check scan it

jeremylong commented 4 days ago

Likely need to update the composer analyzer to scan the dev dependencies and add a flag to skip the dev dependencies.