Use maven dependency analyzer to set scope automatically

[prabhu]

maven-dependency-analyzer use .class based analysis to classify packages into few used, untest and test sets.
This is then used to set the component scope to required or optional.

The idea is that this information could then be used by tools such as depscan to prioritize vulnerabilities based on the scope.

Key logic (excluding all glue code) is shown below:

// Is the artifact used?
if (usedDeclaredArtifacts.contains(artifact) || usedUndeclaredArtifacts.contains(artifact)) {
    return Component.Scope.REQUIRED;
}
// Is the artifact unused or test?
if (unusedDeclaredArtifacts.contains(artifact) || testArtifactsWithNonTestScope.contains(artifact)) {
    return Component.Scope.OPTIONAL;
}
return null;

[stevespringett]

Thanks for the quality PR!

Is this ready to merge on your end or do you think there's more to add prior to merge and release?

[prabhu]

Thank you @stevespringett! This is ready and tested with few apps.

[prabhu]

Thanks for merging and releasing this PR! Below is a screenshot from the latest depscan that makes use of the builtin scope.

As we can see, for the test HelloShiftLeft project, only 5 out of 59 findings needs action. This kind of filtering should help the community with VM and prioritization effort.