fix(java): don't ignore runtime scope for pom.xml files (aquasecurity#6223)

Author: DmitriyLewen

pkg/dependency/parser/java/pom/parse.go

@@ -381,7 +381,7 @@ func (p *parser) parseDependencies(deps []pomDependency, props map[string]string
 		// Resolve dependencies
 		d = d.Resolve(props, depManagement, rootDepManagement)
 
-		if (d.Scope != "" && d.Scope != "compile") || d.Optional {
+		if (d.Scope != "" && d.Scope != "compile" && d.Scope != "runtime") || d.Optional {
 			continue
 		}
 

pkg/dependency/parser/java/pom/parse_test.go

@@ -47,12 +47,24 @@ func TestPom_Parse(t *testing.T) {
 						},
 					},
 				},
+				{
+					ID:      "org.example:example-runtime:1.0.0",
+					Name:    "org.example:example-runtime",
+					Version: "1.0.0",
+					Locations: types.Locations{
+						{
+							StartLine: 37,
+							EndLine:   42,
+						},
+					},
+				},
 			},
 			wantDeps: []types.Dependency{
 				{
 					ID: "com.example:happy:1.0.0",
 					DependsOn: []string{
 						"org.example:example-api:1.7.30",
+						"org.example:example-runtime:1.0.0",
 					},
 				},
 			},
@@ -80,12 +92,24 @@ func TestPom_Parse(t *testing.T) {
 						},
 					},
 				},
+				{
+					ID:      "org.example:example-runtime:1.0.0",
+					Name:    "org.example:example-runtime",
+					Version: "1.0.0",
+					Locations: types.Locations{
+						{
+							StartLine: 37,
+							EndLine:   42,
+						},
+					},
+				},
 			},
 			wantDeps: []types.Dependency{
 				{
 					ID: "com.example:happy:1.0.0",
 					DependsOn: []string{
 						"org.example:example-api:1.7.30",
+						"org.example:example-runtime:1.0.0",
 					},
 				},
 			},

pkg/dependency/parser/java/pom/testdata/happy/pom.xml

@@ -34,6 +34,12 @@
             <artifactId>example-api</artifactId>
             <version>${api.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.example</groupId>
+            <artifactId>example-runtime</artifactId>
+            <version>1.0.0</version>
+            <scope>runtime</scope>
+        </dependency>
         <dependency>
             <groupId>org.example</groupId>
             <artifactId>example-provided</artifactId>