Support scanning dev dependencies in Composer

[Chekote]

Description

Trivy has the --include-dev-deps options. But it has no effect when scanning Composer lock files.
This was identified as a result of this Q&A discussion.
Having an option in Trivy that has no effect in some package managers will give users a false sense of confidence that their environment is not subject to any security concerns.
Although security vulnerabilities in dev dependencies are more difficult for bad actors to leverage, they are not impossible.

Target

Filesystem

Scanner

Vulnerability

[mlajx]

One example is a vulnerability in PHPUnit - RCE via HTTP POST (CVE-2017-9841)

Even as a dev dependency, I can see scenarios where it could cause issues: running on a staging server, or running tests in CI/CD with another (vulnerable) package making the HTTP request, or using ngrok to create a temporary server.

I'm not saying those scenarios are totally valid, but they are points we need to be careful about, even when using a dev dependency package.

[Chekote]

Something to implement in the meantime is a warning that if the --incude-dev-deps is used and Trivy scans a composer.lock file: Make it clear to the user that contrary to the specified options, Trivy did not in fact include any dev deps for Composer.