Discuss implications of multiple PIP_REQUIREMENTS_FILE implementation

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

NOTE if you are a user who also would like to see this feature, please UPVOTE 👍 it and comment to help it get prioritized (So it’s raised as part of our sensing mechanisms. Comments ideally should include what you want, how it would help you, what your pain point/frustration is today, and anything else that can help us focus on solving the problem.

Problem to solve

"We cannot accurately report the location for a vulnerability when PIP_REQUIREMENTS_FILE matches multiple files. A workaround would be to use the path of the first dependency file in the list."

"PIP_REQUIREMENTS_FILE is a singular, and it wouldn't reflect what the variable contains. That's something you brought up when opening the MR."

from gitlab-org/security-products/analyzers/gemnasium-python!44 (comment 373119383)

Proposal

Answer:

• How could we support multiple PIP_REQUIREMENTS_FILE?
• How would we report the location of a vulnerability?
• Are there other edge cases to consider with multiple PIP_REQUIREMENTS_FILE?
• How common is PIP_REQUIREMENTS_FILE? is this an official recognized configuration?

Further details

Links / references