Documentation says 'runtime artifacts are not bundled in distribution' ?

[mehradn7]

Hello,

The documentation of the Maven plugin (https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html) says (Example 4):

Create the dependency-check-report.html and skip artifacts not bundled in distribution (Provided and Runtime scope).

to demonstrate the <skipRuntimeScope>true</skipRuntimeScope> configuration option.

But is it true that a Maven dependency declared with scope "runtime" will not be bundled in distribution ? E.g. as far as I know, the spring-boot:repackage plugin goal bundles a JAR with runtime artifacts included.

In such case, from a security prospective, wouldn't it be better not to suggest excluding runtime scope artifacts from the Dependency Check scan ?

Thank you for your answer.

Regards,

[aikebah]

Runtime scope is indeed usualky bundled... think we should update the docs