You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This sounds like a very good enhancement @lossurdo.
It seems to me there is a possibility that a test dependency gets hijacked and results in executing malicious code of some sort during test runs, so this information would probably be good to include by default.
But adding a flag to the Java cataloger to only include "packaged" dependencies or something of the sort might be fairly straightforward. Would this accomplish what you are looking for?
if scanning a jar that has an embedded pom.xml, we would assume this is a runtime dependency and exclude test, provided and maybe more
if scanning source, we probably want to include test dependencies because these will be executed while running tests, perhaps we add a flag to omit these
What would you like to be added:
Some way to ignore Java test dependencies like this vulnerable-legacy log4j:
Why is this needed:
Test libs are not packaged in final JAR/WAR file. Scope "provided" is not package too.
Additional context:
Grype reporting log4j test libs:
The text was updated successfully, but these errors were encountered: