Hi,
in the scope of issue #35436, it happened that the runtimeClasspath configuration contains the testAndDevelopmentOnly configuration in its hierarchy. It is probably not on purpose as production configuration should not include testing or development configuration.
By the way, it breaks the dependency check scan of the runtimeClasspath configuration when it tries to skip test configurations (issue https://github.com/dependency-check/dependency-check-gradle/issues/410).
Comment From: wilkinsona
This is intentional as the dependencies are intended to be available at runtime during development (for example when running your application's main method) and when running the application's tests. We use a separate configuration (rather than runtimeOnly or similar) so that the dependencies can then be filtered out of the classpath that's used for in production – such as those used by bootJar and bootWar.
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: holubec-petr
Thank you for the explanation.
So the main issue in our project is probably using the runtimeClasspath configuration for the vulnerability scanning.
Can you suggest a configuration provided by the Spring Boot Gradle plugin that best suits this purpose?
I found that the productionRuntimeClasspath configuration is created by the plugin and does not contain dev and test dependencies (described here)
Comment From: wilkinsona
Yes, it sounds like productionRuntimeClasspath is the configuration that best meets your needs.