* Support development dependencies for the Gradle detector
Lack of development dependency detection for Gradle is a problem for
Android teams, especially in the context of Component Governance
alerts. Unfortunately Gradle doesn't provide enough information to
definitively identify dev dependencies in all cases, so manual
configuration is required. This change adds dev dependency
classification through two mechanisms
1. `buildscript-gradle.lockfile` and `settings-gradle.lockfile`
contain only build-system dependencies, so always classify these as
development dependencies.
2. Processing based on two new environment variables:
`GRADLE_PROD_CONFIGURATIONS_REGEX` and
`GRADLE_DEV_CONFIGURATIONS_REGEX`. Gradle lockfiles indicate which
Gradle configuration(s) each dependency is required by.
`GRADLE_PROD_CONFIGURATIONS_REGEX` allows specifying
production configurations explicitly. All other configurations are
considered development. Alternately, dev configurations may be
specified in `GRADLE_DEV_CONFIGURATIONS_REGEX` and all others are
considered production.
* Changes based on meeting prior to the holidays
* fluent assertions
* Visual studio recommendations
* More fluent assertsions
* Fix test to be cross-platform
* Fix the cross-platform test fix
* Fix code coverage by removing dead code check
* Address code review comments
* Add a new detector: CondaComponentDetector
---------
Signed-off-by: Max Magorsch <maxmagorsch@microsoft.com>
Co-authored-by: Pawel <pjanowski@users.noreply.github.com>
James Oakley
Max Magorsch
amitla1
Daniel Frampton
Greg Villicana
Tom Fay
Teodor Voinea