Support Pipfile.lock in Dependency Scanning
Problem to solve
Pipfile.lock support to Dependency Scanning (Gemnasium analyzer), making it possible to scan Python with dependencies that cannot be installed in the context of the
gemnasium-python Docker image.
Dependency Scanning is already compatible with Pipenv and can thus process the
Pipfile of a Python project; this has been introduced in gitlab-org/security-products/analyzers/gemnasium-python!6 (merged). But Pipenv compatibility is achieved by installing the project dependencies using
pipenv, and the installation will fail if
gemnasium-python (the Docker image Gemnasium Python is based) on doesn't meet all the project requirements (system libraries, specific version of Python, etc.). Later on gitlab-org/security-products/analyzers/gemnasium-python!11 (merged) was introduced to mitigate this limitation, but it doesn't cover all the edge cases. cc @theoretick
What does success look like, and how can we measure that?
Less failing DS jobs for Python projects, more Python projects being scanned.
Links / references
Pipfile.lockparser to gemnasium #33227 (closed)
Ensure gemnasium-python ignore projects withMake gemnasium-python scan projects with
Pipfile.lock, using the Pipfile.lock parser provided by gemnasium
gemnasium-pythondependency in Dependency Scanning orchestrator, and release new version
Add or update test project for scanning
existsline to detection rule for
Pipfile.lockin the Dependency Scanning template
Job definitions remain the same. There's no need to propagate new CI variables (DinD setup).