PIP_REQUIREMENTS_FILE variable is ignored by python dependency scanner if the requirements file is in subdirectory
Summary
This is the same problem as reported in #324238 (closed). For the monorepo project, when the variable PIP_REQUIREMENTS_FILE
is specified the python dependency scanner ignores it and scans the first pipfile found. This variable is ignored even in a case if requirements file is located in subdirectory, on a different level with .gitlab-ci.yml
file.
I initially thought I may have been specifying the variable wrong, however after some tests nothing changed.
There are modifications from the original template, however copied from the current commit, with adjustments so that multiple pipfiles can be scanned.
Steps to reproduce
-
Create a project with next files:
-
dir1/requirements.txt
This is wrong file
- dir2/requirements.txt
Flask
flask-bootstrap
flask_httpauth
- .gitlab-ci.yml
include:
- template: Security/Dependency-Scanning.gitlab-ci.yml
gemnasium-python-dependency_scanning:
variables:
PIP_REQUIREMENTS_FILE: "dir2/requirements.txt"
before_script:
- echo $PIP_REQUIREMENTS_FILE
Example Project
What is the current bug behavior?
When variable PIP_REQUIREMENTS_FILE
is specified it is supposed to be the requirements file scanned. However it appears to be ignored.
What is the expected correct behavior?
If you specify a pipfile in PIP_REQUIREMENTS_FILE
it should be the one scanned
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
gitlab.com
Results of GitLab application Check
???
Possible fixes
- Update the documentation to clarify that
PIP_REQUIREMENTS_FILE
is a filename, not a path. - Only match again the filename against
PIP_REQUIREMENTS_FILE
during detection, instead of prepending it to pre-defined filenames. - Show a warning when
PIP_REQUIREMENTS_FILE
is a path and not filename. - Support the case where
PIP_REQUIREMENTS_FILE
is a path, and not simply a filename. This is a much bigger change. - Do Allow all Java and Python files to be scanned (#393078 - closed), which is a more generic solution for passing the path of the file to be scanned.
Proposal
- Update the documentation to clarify that
PIP_REQUIREMENTS_FILE
is a filename, not a path. - Only match again the filename against
PIP_REQUIREMENTS_FILE
during detection, instead of prepending it to pre-defined filenames. - Show a warning when
PIP_REQUIREMENTS_FILE
is a path and not filename.
Passing a specific file path is covered by Allow all Java and Python files to be scanned (#393078 - closed) and is out of scope.
Implementation plan
-
Update GitLab documentation. - Clarify that
PIP_REQUIREMENTS_FILE
is a filename, not a path.
- Clarify that
-
Update gemnasium project. - When
PIP_REQUIREMENTS_FILE
is set,- Use it as the only supported filename for pip.
- Only register pip, and do not detect files of other package managers.
- NOTE: This has been debated in #350949 (comment 1685642756).
- Show a warning when
PIP_REQUIREMENTS_FILE
is a path and not filename.
- When