Pipfile.lock support for Dependency Scanning
Problem to solve
Dependency Scanning for Python (gemnasium-python) supports pipenv via Pipfile
, but the exact package versions listed in Pipfile.lock
are ignored. As a result, the dependency list might be inaccurate, and vulnerabilities might not be reported.
See #299294 for native support of Pipfile.lock, without using pipend and without installing any project dependency.
Proposal
Support Pipfile.lock
via pipenv, or make sure this is already supported.
Further details
gemnasium-python
runs pipenv graph --json
to export the dependency graph as a JSON document. This JSON doc is similar to the one pipdeptree
creates. pipenv graph
installs the project dependencies, and this might fail if the installed packages require a specific version of Python, or specific system libraries.
What does success look like, and how can we measure that?
Dependency Scanning accurately lists and scans the package versions listed in Pipfile.lock
, and not the highest version in range when installing from Pipfile
.
Links / references
Implementation plan
-
Add branch to the pipenv test project, to prove Pipfile.lock
support; see https://gitlab.com/gitlab-org/security-products/tests/python-pipenv/-/commits/pipfile-lock-FREEZE -
Add QA job to gemnasium-python
to testPipfile.lock
support; see gitlab-org/security-products/analyzers/gemnasium-python!86 (merged) -
Update user docs; see !51445 (merged)