Dependency Scopes
A dependency has a scope of either runtime (that is, the dependency is required during application runtime) or non-runtime (it is not required during runtime). Depending on the value of the Report Non-Runtime Dependencies option in the scan profile, scan results can include just runtime dependencies or both runtime and non-runtime dependencies. (This option is available only when the scan profile is configured for first-level-dependency or transitive-dependency scans via the Dependency Support field.)
The scope of a reported dependency is shown in the Dependency Scope field listed in the inventory details on the Project Inventory tab and in the Analysis Workbench. The value of this field is either Runtime or Non-Runtime. This general scope designation is based on the ecosystem-specific scope with which the dependency is defined in the code.
See the following topics for more information:
| • | Current Code Insight Support for Dependency Scopes |
| • | Gradle Dependency Scopes Supported by Code Insight |
| • | Maven Dependency Scopes Supported by Code Insight |
| • | NPM Dependency Scopes Supported by Code Insight |
Current Code Insight Support for Dependency Scopes
Code Insight currently reports scopes for dependencies found only in the following manifest files for the given ecosystem. (Dependencies not found in these files show N/A for Dependency Scope.)
| • | build.gradle and build.gradle.kts files in Gradle Ecosystems |
| • | .jar, pom.xml, and .pom files in Maven Ecosystems |
| • | package.json file, package-lock.json, or npm-shrinkwrap.json in NPM Ecosystems |
The next sections list the ecosystem-specific scopes with which dependencies found in these files can be defined and that the scan translates to the broader Runtime or Non-Runtime scope in the scan results. (The lists show only those scopes currently supported by Code Insight.)
Gradle Dependency Scopes Supported by Code Insight
The following list shows runtime and non-runtime Gradle-specific scopes with which dependencies found in a build.gradle or build.gradle.kts file can be defined. The Gradle scope for a given dependency is converted to the broader Runtime or Non-Runtime scope in the scan results.
|
Runtime Scopes |
Non-Runtime Scopes |
|
implementation api runtime runtimeOnly runtimeElements runtimeClasspath providedCompile providedRuntime default sourceSetRuntime sourceSetRuntimeOnly sourceSetRuntimeClasspath apk compile kapt classPath |
compileOnlyApi compileOnly testImplementation testCompileOnly testRunTimeOnly compileOnlyApi apiElements compileClasspath testCompileClasspath testRuntimeClasspath annotationProcessor testCompile testRuntime sourceSetCompile sourceSetImplementation sourceSetCompileOnly sourceSetCompileClasspath sourceSetAnnotationProcessor provided testFixturesImplementation kaptAndroidTest kaptTest testAnnotationProcessor androidTestImplementation androidTestApi androidTestUtil EnforcedPlatform debugImplementation releaseImplementation androidTestImplementation androidTestCompile gradleApi gradleTestKit |
Maven Dependency Scopes Supported by Code Insight
The following list shows runtime and non-runtime Maven-specific scopes with which dependencies found in a .jar, pom.xml, or .pom file can be defined. The Maven scope for a given dependency is converted to the broader Runtime or Non-Runtime scope in the scan results.
|
Runtime Scopes |
Non-Runtime Scopes |
|
compile provided runtime |
test system import |
Additional Notes About Maven Dependency Scopes
The following dependency behavior occurs during transitive scan (that is, scans whose scan profile is configured with the All Transitive Dependencies option).
| • | The scan reports dependencies from a dependency management tag with an import scope for a given pom.xml file. However, if these dependencies have dependencies from a dependency management tag in their respective pom.xml files, these next-level dependencies are not reported. |
| • | Dependencies defined with the test scope for a given pom.xml file are reported. However, dependencies (also with a test scope) of these dependencies are not reported. |
NPM Dependency Scopes Supported by Code Insight
The following list shows runtime and non-runtime NPM-specific scopes with which dependencies can be defined. The NPM scope for a given dependency is converted to the broader Runtime or Non-Runtime scope in the scan results.
|
Runtime Scopes |
Non-Runtime Scopes |
|
dependencies bundled optional peer dependencies |
devDependencies |
Additional Note About NPM Dependency Scopes
If only the package.json exists in the NPM ecosystem, transitive dependencies with a devDependencies scope are not reported during transitive scans (that is, scans whose profile is configured with the All Transitive Dependencies option). This behavior is in conformity with the NPM ecosystem behavior.