Skip to main content
Skip table of contents

Scanning Development Dependencies - Unified Agent

By default, the Mend scanning agents such as the Unified Agent and the Repository integrations do not detect development dependencies. Many developers consider security alerts from these dependencies to be noise as they are not typically deployed in a production environment where an exploit can occur.

However, when scanning with the Unified Agent (in a pipeline or on your local machine) you can add the following environment variables to enable development dependency detection for all package managers:

CODE
WS_MAVEN_IGNOREDSCOPES=none
WS_GRADLE_INCLUDEMODULES=*
WS_NPM_INCLUDEDEVDEPENDENCIES=true
WS_PYTHON_PIPENVDEVDEPENDENCIES=true
WS_PYTHON_INCLUDEPOETRYDEVDEPENDENCIES=true
WS_GO_GLIDE_IGNORETESTPACKAGES=false
WS_GO_MODULES_INCLUDETESTDEPENDENCIES=true
WS_SBT_INCLUDEDSCOPES=compile runtime test
WS_PHP_INCLUDEDEVDEPENDENCIES=true
WS_OCAML_IGNOREDSCOPES=none

Note: the following variables should be customized based on your scopes as the above are placeholders: WS_GRADLE_INCLUDEMODULES, WS_SBT_INCLUDEDSCOPES

Alternately, for the repository integrations, change your scanSettings parameter for configMode to use either LOCAL or EXTERNAL and point to a whitesource.config file with the following lines (for local scans with a config file, simply add these lines to your config):

CODE
maven.ignoredScopes=none
gradle.includeModules=*
npm.includeDevDependencies=true
python.pipenvDevDependencies=true
python.includePoetryDevDependencies=true
go.glide.ignoreTestPackages=false
go.modules.includeTestDependencies=true
sbt.includedScopes=compile runtime test
php.includeDevDependencies=true
ocaml.ignoredScopes=none

Note: the following lines should be customized based on your scopes as the above are placeholders: gradle.includeModules, sbt.includedScopes

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.