gemnasium-python fails to install psycopg2-binary v2.9.2 with pipenv during dependency scanning job
Summary
When integrating Dependency Scanning into a Python project, the job will fail at installing psycopg2-binary
2.9.2
with pipenv. Bumping the package version down to 2.8.2
results in a successful installation with pipenv.
Reference ticket: Dependency Scanning - Python Errors (internal link only)
Steps to reproduce
Create a project, include psycopg2-binary = "==2.9.2"
in your Pipfile, include the Security/Dependency-Scanning.gitlab-ci.yml
template in your .gitlab-ci.yml
file, kick off the job.
Example Project
- Project: Ci-Testing
What is the current bug behavior?
gemnasium-python
cannot install the psycopg2-binary
when locking the version to 2.9.2
in a Pipfile. If bumped down to 2.8.2
, gemnasium-python
can install psycopg2-binary
using pipenv
and the Dependency Scanning job will succeed.
What is the expected correct behavior?
gemnasium-python
should install the psycopg2-binary
package using pipenv
from a Pipfile successfully.
Relevant logs and/or screenshots
No logs, however, example pass/fail jobs:
- Dependency Scanning job passed after knocking the
psycopg2-binary
package down to2.8.2
: ci-testing/-/jobs/1960020561 - Dependency Scanning job failed after bumping the
psycopg2-binary
package up to2.9.2
: ci-testing/-/jobs/1960031813
Output of checks
This bug happens on GitLab.com and GitLab v14.5.1
Results of GitLab environment info
Results of GitLab application Check
Possible fixes
I'm not sure on this one. I saw that #206952 mentioned that installing the missing OS packages in the before_script
section of the gemnasium-python-dependency_scanning
, however, this shouldn't be necessary as the psycopg2-binary
package circumvents the need to install the missing OS packages.
Implementation plan
This dependency does indeed seem to require some libpq-dev
or a newer version of pipenv
: https://github.com/pypa/pipenv/issues/3468
This is why using the python-3.9
image seems to work.
Therefore, adding troubleshooting steps for this type of error would be helpful.
-
test work-around adding libpq-dev
when installingpsycopg2-binary
inpython 3.6
Dependency Scanning container (add job output to this issue) -
update Dependency Scanning Troubleshooting documentation with the work-around https://docs.gitlab.com/ee/user/application_security/dependency_scanning/