Feedback issue for Dependency Scanning multiple file processing behavior
Proposal
The purpose of this issue is to gather feedback regarding the behaviour of Dependency Scanning when processing multiple files.
If you've experienced difficulties as a result of the current dependency scanning multiple file processing behavior, please add a comment to this issue explaining the challenges you faced, and explain whether the following approaches might have solved your issue:
When executing in a CI job, a Dependency Scanning analyzer would either process:
- multiple lock files (default)
- one requirements file (fallback)
When processing a requirements file, the analyzer installs the project dependencies using the package manager, so this is expensive (time and bandwidth). This is why analyzers should NOT process multiple requirements by default. Also, it makes sense to run multiple dependency scanning jobs to process multiple requirements files, to reduce the overall execution time of the pipeline.
Analyzers should first attempt to parse and process lock files because this is both more accurate (it reflects the exact versions used in production) and way cheaper (no need to install the dependencies). They should process a single requirements file as a fallback, or when explicitly requested to do so (variables to be later defined)