Use production runtime classpath for dependency checks

Author: Alex McAusland

src/main/java/uk/gov/hmcts/tools/DependencyCheckSetup.java

@@ -29,6 +29,8 @@
 
 public final class DependencyCheckSetup {
 
+    private static final String PRODUCTION_RUNTIME_CLASSPATH = "productionRuntimeClasspath";
+
     private DependencyCheckSetup() {
     }
 
@@ -69,7 +71,7 @@ public static void apply(Project project) {
 
         // Scan only runtime configurations by default.
         // This can be overridden in project build script if desired.
-        extension.getScanConfigurations().add("runtimeClasspath");
+        extension.getScanConfigurations().add(PRODUCTION_RUNTIME_CLASSPATH);
 
         extension.getFormats().add(Format.XML.name());
         Task cleaner = project.getTasks().create("cleanSuppressions");

src/test/groovy/uk.gov.hmcts/Test.groovy

@@ -1,10 +1,26 @@
 package uk.gov.hmcts
 
+import org.gradle.testfixtures.ProjectBuilder
+import org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension
 import spock.lang.Specification
+import uk.gov.hmcts.JavaPlugin
 import uk.gov.hmcts.tools.DependencyCheckSetup
 
 class Test extends Specification {
 
+    def "configures dependency check to scan production runtime classpath"() {
+        given:
+        def project = ProjectBuilder.builder().build()
+
+        when:
+        project.plugins.apply(JavaPlugin)
+        def extension = project.extensions.getByType(DependencyCheckExtension)
+
+        then:
+        extension.scanConfigurations.get() == ["productionRuntimeClasspath"]
+        extension.skipTestGroups.get()
+    }
+
     def "extracts set of CVEs from suppression report"() {
         given:
         def xml = this.getClass().getResource('/dependency_checker_report_for_redundant_suppressions.xml').text