Dependency Scanning fails for projects using setuptools in offline mode
Main issue
This is a sub-issue for #33720 (closed).
Problem to solve
In order to support offline environment deployments (air-gap) for Dependency Scanning on setuptools
projects, we need to be able to make calls to registries with https certificates for private registries. This is not currently possible with setuptools
and there is no workaround to make it work.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Simone (Software Engineer in Test)
Further details
When querying a repository with a self-signed cert or cert not in system list, setuptools
returns an error:
Download error on https://gitlab-airgap-pypi.us-west1-b.c.group-secure-a89fe7.internal/simple: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852) -- Some packages may not be found!
Proposal
Add the certificate to analyzer image in order for setuptools to recognize 3rd party cert. There is currently an open issue about this: https://github.com/pypa/setuptools/issues/1543
Permissions and Security
Documentation
If this requires user setup, then we must update user documentation.
Availability & Testing
Test solution on the airgap-test instance: https://gitlab-airgap-test.us-west1-b.c.group-secure-a89fe7.internal/tests/maven-with-local-registry
What does success look like, and how can we measure that?
Maven projects can be successfully scanned in an offline environment.
What is the type of buyer?
Is this a cross-stage feature?
No.