poetry build integration: separate python dependencies by scope (runtime or not) #3368
Description
Is your feature request related to a problem? Please describe.
We filter out dev dependencies from the buildinfo in a postprocessing step after buildinfo is collectet. This is because we are only interestet in risk that is inherent in the systems run in production.
In order to be able to do this we rely on the dependency scope that all build tool integrations cary over from the respective sources (like in maven test or provided scope or with npm there is a dev scope.
Poetry build integration does capture the scope of dev dependencies seperate from runtime dependencies. Instead those dependencies are mixed together with runtime dependencies in the scope "transitive" for example.
Describe the solution you'd like to see
We want the poetry build integration to separate runtime and dev dependencies in the buildinfo, so that we can filter out any dependencies that are not runtime dependencies. With poetry this should be all groups except the main dependency group.
Describe alternatives you've considered
Currently we are unable to use the poetry integration and instead have to generate the buildinfo with pip based on a generated requirements.txt . This is time consuming and not accurate - so we want this fixed.
Additional context
See https://python-poetry.org/docs/managing-dependencies/ for dependency groups.