Hey all,

Off the back of the nightmare that was Shai Hulud, I'm interested in being able to setup two analysis tasks for my projects - one for all the runtime dependencies that will go to production and another for all the other dependencies that are used in the build process, the tests, etc.

The reason being that while my test-scoped dependencies (e.g. JUnit) may have issues (e.g. a data exfiltration issue or a ransomware attack), I really don't care if something has a potential DDoS exploit (it's only running on my build server). The plugin supports scanning both but only if done together.

I'm interested in splitting them up so I get two different reports, maybe apply different suppression files to each, and maybe fail the builds on the runtime dependencies having critical issues but not the tests. So far I haven't been bothering scanning the other dependencies because of how they'll be coupled like this.

The problem is that the plugin currently uses an extension to handle any/all configuration rather than task-level inputs/outputs:

You can register a 2nd analysis task, but you can't individually configure it to scan different configurations, use different suppression files, output to a different location, etc.

It seems like some of the configs could do we a migration from the extension into simple task inputs/outputs. Things like credentials and the NVD URL make sense to keep there, but some of the other stuff maybe not so much.

EDIT: The plugin would still want to pre-register a dependencyCheckAnalyze task for users, however we'd then be free to also register additional analysis tasks ourselves that do slightly different things like I'm describing.