Skip to content
GitLab Next
  • Menu
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 44,151
    • Issues 44,151
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1,473
    • Merge requests 1,473
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #337056
Closed
Open
Created Jul 28, 2021 by Adam Cohen@adamcohenDeveloper

Feedback issue for Dependency Scanning multiple file processing behavior

Proposal

The purpose of this issue is to gather feedback regarding the behaviour of Dependency Scanning when processing multiple files.

If you've experienced difficulties as a result of the current dependency scanning multiple file processing behavior, please add a comment to this issue explaining the challenges you faced, and explain whether the following approaches might have solved your issue:

When executing in a CI job, a Dependency Scanning analyzer would either process:

  • multiple lock files (default)
  • one requirements file (fallback)

When processing a requirements file, the analyzer installs the project dependencies using the package manager, so this is expensive (time and bandwidth). This is why analyzers should NOT process multiple requirements by default. Also, it makes sense to run multiple dependency scanning jobs to process multiple requirements files, to reduce the overall execution time of the pipeline.

Analyzers should first attempt to parse and process lock files because this is both more accurate (it reflects the exact versions used in production) and way cheaper (no need to install the dependencies). They should process a single requirements file as a fallback, or when explicitly requested to do so (variables to be later defined)

Assignee
Assign to
Time tracking