Document DS_PIP_DEPENDENCY_PATH option for Dependency Scanning and add to vendored template (#12412) · Issues · GitLab.org / GitLab

Document DS_PIP_DEPENDENCY_PATH option for Dependency Scanning and add to vendored template

Problem to solve

To address gitlab-org/security-products/analyzers/gemnasium-python!11 (merged) we've added an option to specify a path to the installed python pip dependencies.

We should document this new option and allow to use this variable from the Dependency Scanning vendored template.

Intended users

Persona: Software developer

Proposal

rename the PIP_DEPENDENCY_PATH environment variable in gemnasium-python into DS_PIP_DEPENDENCY_PATH. Keep the old PIP_DEPENDENCY_PATH value as an alias for backward compatibility. (gitlab-org/security-products/analyzers/gemnasium-python!24 (merged))
add the DS_PIP_DEPENDENCY_PATH variable to the vendored template (https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/30762)
document DS_PIP_DEPENDENCY_PATH in the Available variables section (https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/30762)

Testing

update the python-pip test project to use DS_PIP_DEPENDENCY_PATH, and make sure it really uses it - that's not the case right now and the integration test is misleading (gitlab-org/security-products/analyzers/gemnasium-python!24 (comment 193912902))

What does success look like, and how can we measure that?

DS_PIP_DEPENDENCY_PATH option is properly documented.

What is the type of buyer?

GitLab Ultimate

Links / references

### Problem to solve

To address https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-python/merge_requests/11 we've added an option to specify a path to the installed python pip dependencies.

We should document this new option and allow to use this variable from the Dependency Scanning vendored template.

### Intended users
~"Persona: Software developer"

### Proposal

* [x] rename the `PIP_DEPENDENCY_PATH` environment variable in [gemnasium-python](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-python/blob/e5c7dd5c961d736a4f0b0b3fa1a12177782c3fa0/analyze.go#L27) into `DS_PIP_DEPENDENCY_PATH`. Keep the old `PIP_DEPENDENCY_PATH` value as an alias for backward compatibility. (https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-python/merge_requests/24)
* [x] add the `DS_PIP_DEPENDENCY_PATH` variable to [the vendored template](https://gitlab.com/gitlab-org/gitlab-ee/blob/36055d4586161fae7b08ed72cc8b9a1b89408a80/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml#L33-42) (https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/30762)
* [x] document `DS_PIP_DEPENDENCY_PATH` in the [Available variables](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html#available-variables) section (https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/30762)

### Testing

* [x] update the [python-pip](https://gitlab.com/gitlab-org/security-products/tests/python-pip/blob/296773a5f10ed24ec44344648d5e61cd6498fdc6/.gitlab-ci.yml#L40) test project to use `DS_PIP_DEPENDENCY_PATH`, and make sure it really uses it - that's not the case right now and the integration test is misleading (https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-python/merge_requests/24#note_193912902)

### What does success look like, and how can we measure that?

`DS_PIP_DEPENDENCY_PATH` option is properly documented.

### What is the type of buyer? 
~"GitLab Ultimate"

### Links / references

Edited Jul 19, 2019 by mo khan

Discussion
Designs