refactor: include/exclude dev deps in analyzers

pkg/commands/artifact/run.go

@@ -563,6 +563,7 @@ func (r *runner) initScannerConfig(opts flag.Options) (ScannerConfig, types.Scan
 			AWSEndpoint:       opts.Endpoint,
 			FileChecksum:      fileChecksum,
 			DetectionPriority: opts.DetectionPriority,
+			IncludeDevDeps:    opts.IncludeDevDeps,
 
 			// For image scanning
 			ImageOption: ftypes.ImageOptions{

pkg/dependency/parser/nodejs/npm/parse.go

@@ -52,12 +52,14 @@ type Package struct {
 }
 
 type Parser struct {
-	logger *log.Logger
+	logger         *log.Logger
+	includeDevDeps bool
 }
 
-func NewParser() *Parser {
+func NewParser(includeDevDeps bool) *Parser {
 	return &Parser{
-		logger: log.WithPrefix("npm"),
+		logger:         log.WithPrefix("npm"),
+		includeDevDeps: includeDevDeps,
 	}
 }
 
@@ -108,6 +110,11 @@ func (p *Parser) parseV2(packages map[string]Package) ([]ftypes.Package, []ftype
 			continue
 		}
 
+		// Skip `Dev` dependencies if `--include-dev-deps` flag is not present
+		if pkg.Dev && !p.includeDevDeps {
+			continue
+		}
+
 		// pkg.Name exists when package name != folder name
 		pkgName := pkg.Name
 		if pkgName == "" {
@@ -290,6 +297,11 @@ func (p *Parser) parseV1(dependencies map[string]Dependency, versions map[string
 	var pkgs []ftypes.Package
 	var deps []ftypes.Dependency
 	for pkgName, dep := range dependencies {
+		// Skip `Dev` dependencies if `--include-dev-deps` flag is not present
+		if dep.Dev && !p.includeDevDeps {
+			continue
+		}
+
 		pkg := ftypes.Package{
 			ID:           packageID(pkgName, dep.Version),
 			Name:         pkgName,

pkg/dependency/parser/nodejs/npm/parse_test.go

@@ -12,46 +12,74 @@ import (
 
 func TestParse(t *testing.T) {
 	tests := []struct {
-		name     string
-		file     string // Test input file
-		want     []ftypes.Package
-		wantDeps []ftypes.Dependency
+		name           string
+		file           string // Test input file
+		includeDevDeps bool
+		want           []ftypes.Package
+		wantDeps       []ftypes.Dependency
 	}{
 		{
-			name:     "lock version v1",
-			file:     "testdata/package-lock_v1.json",
-			want:     npmV1Pkgs,
-			wantDeps: npmDeps,
+			name:           "lock version v1",
+			file:           "testdata/package-lock_v1.json",
+			includeDevDeps: true,
+			want:           npmV1Pkgs,
+			wantDeps:       npmDeps,
 		},
 		{
-			name:     "lock version v2",
-			file:     "testdata/package-lock_v2.json",
-			want:     npmV2Pkgs,
-			wantDeps: npmDeps,
+			name:           "lock version v1. Exclude Dev deps",
+			file:           "testdata/package-lock_v1.json",
+			includeDevDeps: false,
+			want:           npmV1PkgsExcludeDev,
+			wantDeps:       npmDepsExcludeDev,
 		},
 		{
-			name:     "lock version v3",
-			file:     "testdata/package-lock_v3.json",
-			want:     npmV2Pkgs,
-			wantDeps: npmDeps,
+			name:           "lock version v2",
+			file:           "testdata/package-lock_v2.json",
+			includeDevDeps: true,
+			want:           npmV2Pkgs,
+			wantDeps:       npmDeps,
 		},
 		{
-			name:     "lock version v3 with workspace",
-			file:     "testdata/package-lock_v3_with_workspace.json",
-			want:     npmV3WithWorkspacePkgs,
-			wantDeps: npmV3WithWorkspaceDeps,
+			name:           "lock version v3",
+			file:           "testdata/package-lock_v3.json",
+			includeDevDeps: true,
+			want:           npmV2Pkgs,
+			wantDeps:       npmDeps,
 		},
 		{
-			name:     "lock file v3 contains same dev and non-dev dependencies",
-			file:     "testdata/package-lock_v3_with-same-dev-and-non-dev.json",
-			want:     npmV3WithSameDevAndNonDevPkgs,
-			wantDeps: npmV3WithSameDevAndNonDevDeps,
+			name:           "lock version v3. Exclude Dev deps",
+			file:           "testdata/package-lock_v3.json",
+			includeDevDeps: false,
+			want:           npmV2PkgsExcludeDev,
+			wantDeps:       npmV2DepsExcludeDev,
 		},
 		{
-			name:     "lock version v3 with workspace and without direct deps field",
-			file:     "testdata/package-lock_v3_without_root_deps_field.json",
-			want:     npmV3WithoutRootDepsField,
-			wantDeps: npmV3WithoutRootDepsFieldDeps,
+			name:           "lock version v3 with workspace",
+			file:           "testdata/package-lock_v3_with_workspace.json",
+			includeDevDeps: true,
+			want:           npmV3WithWorkspacePkgs,
+			wantDeps:       npmV3WithWorkspaceDeps,
+		},
+		{
+			name:           "lock file v3 contains same dev and non-dev dependencies",
+			file:           "testdata/package-lock_v3_with-same-dev-and-non-dev.json",
+			includeDevDeps: true,
+			want:           npmV3WithSameDevAndNonDevPkgs,
+			wantDeps:       npmV3WithSameDevAndNonDevDeps,
+		},
+		{
+			name:           "lock file v3 contains same dev and non-dev dependencies. Exclude Dev deps",
+			file:           "testdata/package-lock_v3_with-same-dev-and-non-dev.json",
+			includeDevDeps: false,
+			want:           npmV3WithSameDevAndNonDevPkgsExcludeDev,
+			wantDeps:       nil,
+		},
+		{
+			name:           "lock version v3 with workspace and without direct deps field",
+			file:           "testdata/package-lock_v3_without_root_deps_field.json",
+			includeDevDeps: true,
+			want:           npmV3WithoutRootDepsField,
+			wantDeps:       npmV3WithoutRootDepsFieldDeps,
 		},
 		{
 			name:     "lock version v3 with broken link",
@@ -66,7 +94,7 @@ func TestParse(t *testing.T) {
 			f, err := os.Open(tt.file)
 			require.NoError(t, err)
 
-			got, deps, err := NewParser().Parse(f)
+			got, deps, err := NewParser(tt.includeDevDeps).Parse(f)
 			require.NoError(t, err)
 
 			assert.Equal(t, tt.want, got)