-
Notifications
You must be signed in to change notification settings - Fork 600
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ignoring Java test dependencies #985
Comments
This sounds like a very good enhancement @lossurdo. It seems to me there is a possibility that a test dependency gets hijacked and results in executing malicious code of some sort during test runs, so this information would probably be good to include by default. But adding a flag to the Java cataloger to only include "packaged" dependencies or something of the sort might be fairly straightforward. Would this accomplish what you are looking for? |
I think what we might like to do here is:
cc: @wagoodman |
Hi @kzantow! Maybe something like this on Grype ignoring YAML: ignore:
- pom:
scope: test
ignore:
- pom:
scope: provided No matter if |
What would you like to be added:
Some way to ignore Java test dependencies like this vulnerable-legacy log4j:
Why is this needed:
Test libs are not packaged in final JAR/WAR file. Scope "provided" is not package too.
Additional context:
Grype reporting log4j test libs:
The text was updated successfully, but these errors were encountered: