Provided scope dependencies picked up in some cases but not others

[rootAvish]

Issue Overview

I am getting conflicting behavior around dependency resolution for the "provided" scope packages.

Expected Behaviour

Either the "provided" scope packages should be ignored in all cases or picked in all cases.

Current Behaviour

"Provided" scope packages are picked in some cases and ignored in others.

Steps To Reproduce

1. Generate stack report for: https://github.com/vaadin/dashboard-demo
   The "provided" scope dependency javax.servlet:javax.servlet-api is analyzed
2. Generate stack report for: https://github.com/mttkay/ignition
   The "provided" scope dependency com.google.android:android is not analyzed and neither unknown

/cc @samuzzal-choudhury

[stevengutz]

@GeorgeActon @samuzzal-choudhury Please stop changing the priorities. These are defined by/for the business and it looks like you are confusing then with severity. This particular defect has no significant bearing on the business so it is a P4

[samuzzal-choudhury]

@stevengutz I understand that a bug's priority has to be set to P2 if the team thinks that it has a business impact and requires a fix for that during a sprint. Whereas, I see severity as the parameter that defines the impact of the bug on an application's functionality and user experience. Correct me if I am wrong.

cc: @GeorgeActon @sivaavkd