Scanning Development Dependencies - Unified Agent
By default, the Mend scanning agents such as the Unified Agent and the Repository integrations do not detect development dependencies. Many developers consider security alerts from these dependencies to be noise as they are not typically deployed in a production environment where an exploit can occur.
However, when scanning with the Unified Agent (in a pipeline or on your local machine) you can add the following environment variables to enable development dependency detection for all package managers:
WS_MAVEN_IGNOREDSCOPES=none
WS_GRADLE_INCLUDEMODULES=*
WS_NPM_INCLUDEDEVDEPENDENCIES=true
WS_PYTHON_PIPENVDEVDEPENDENCIES=true
WS_PYTHON_INCLUDEPOETRYDEVDEPENDENCIES=true
WS_GO_GLIDE_IGNORETESTPACKAGES=false
WS_GO_MODULES_INCLUDETESTDEPENDENCIES=true
WS_SBT_INCLUDEDSCOPES=compile runtime test
WS_PHP_INCLUDEDEVDEPENDENCIES=true
WS_OCAML_IGNOREDSCOPES=none
Note: the following variables should be customized based on your scopes as the above are placeholders: WS_GRADLE_INCLUDEMODULES
, WS_SBT_INCLUDEDSCOPES
Alternately, for the repository integrations, change your scanSettings parameter for configMode to use either LOCAL or EXTERNAL and point to a whitesource.config file with the following lines (for local scans with a config file, simply add these lines to your config):
maven.ignoredScopes=none
gradle.includeModules=*
npm.includeDevDependencies=true
python.pipenvDevDependencies=true
python.includePoetryDevDependencies=true
go.glide.ignoreTestPackages=false
go.modules.includeTestDependencies=true
sbt.includedScopes=compile runtime test
php.includeDevDependencies=true
ocaml.ignoredScopes=none
Note: the following lines should be customized based on your scopes as the above are placeholders: gradle.includeModules
, sbt.includedScopes