enhancement(report): include/exclude dev deps in analyzers

[DmitriyLewen]

Description

We detect all dependencies and exclude dev dependencies in scanner.
This worked well.
But we added test scope for pom.xml files - #7414.
And this is a problem for pom.xml files, because pom.xml file can contain many dependencies, and users always expect all dependencies to be parsed, even if --iclude-dev-deps flag is missing.
More details - #7466

We used this logic to avoid splitting caches.
But --icnlude-dev-deps flag is only available for fs mode. We use memore cache for fs mode, so this is not problem.

So we need to include/exclude dev deps in analyzers.

Discussed in #7466

[knqyf263]

I don't think it's a bug, but an enhancement.

[coheigea]

Hello,

As I commented on #7484, 2d97700 introduced a regression in that it is flagging CVEs in test dependencies by default with no way to turn it off.

[knqyf263]

As I commented on #7484, 2d97700 introduced a regression in that it is flagging CVEs in test dependencies by default with no way to turn it off.

It's weird. Test dependencies should not be shown unless --include-dev-deps is passed.
@DmitriyLewen Do you know anything?

[DmitriyLewen]

Yeah, i also found this problem.
I made a mistake and didn't mark the child dependencies of test dependency as Dev.

I added fix for that in #7484 (see dba9f9f)

[knqyf263]

I think that bugfix should be another PR and backported to v0.55.1, while excluding them in analyzers is an enhancement.

[DmitriyLewen]

despite this being an improvement - i would also suggest adding #7484 to the backport, because the speed of Trivy for pom.xml files is now significantly lower than in the previous version.

I think that bugfix should be another PR

I am creating new PR

[DmitriyLewen]

@knqyf263 Created #7486

[knqyf263]

#7484 needs some time to review as it is not a small change. We may want to revert the change and cut v0.55.1.

[DmitriyLewen]

Looks like you are right...

[knqyf263]

I am afraid of merging fixes in a hurry and causing new problems, so it is better to revert once and add fixes carefully, IMHO.

[DmitriyLewen]

Yes. You are right. Rushing can create more bugs.
I created #7488 to revert #7414.

[DmitriyLewen]

Hello @coheigea
We have decided to roll back the changes and release v0.55.1

We will try to fix all the issues related to this and bring this functionality back in version v0.56.0.