Incorrect logic for determining dependency scope #72
Description
Hi there.
We have just started using your action (thanks for the work!) and have found a problem when used in some of our multi-module maven projects.
The logic here, https://github.com/advanced-security/maven-dependency-submission-action/blob/main/src/depgraph.ts#L226,
function getDependencyScopeForMavenScope(mavenScopes: string[] | undefined | null): DependencyScope {
// Once the API scopes are improved and expanded we should be able to perform better mapping here from Maven to cater for
// provided, runtime, compile, test, system, etc... in the future.
if (mavenScopes) {
if (mavenScopes.includes('test')) { <== THIS HERE SEEMS WRONG
return 'development';
}
}
// The default scope for now as we only have runtime and development currently
return 'runtime';
}
does not seem quite right. In our case, we have some dependencies that have test scope for some modules, but runtime for others, but they are now being reported incorrectly as purely development scoped dependencies to Dependabot, despite actually having runtime scope for some modules.
I would assume that the check there should be if (mavenScopes.includes('test') && mavenScopes.length === 1) { or maybe reverse logic that if it does not contain some of the other scopes, it's inferred to be development?
Thanks in advance, Andreas