Add ability to optionally ignore dev dependencies in Pipenv projects
Release notes
N/A
Problem to solve
When Dependency Scanning runs on Pipenv projects, it will always include development dependencies it will never include development dependencies. In contrast, NPM projects with dependency scanning will dynamically include devDependencies if the option to do so is enabled. To prevent feature drift, Pipenv should also support for optionally installing development dependencies.
Intended users
- Sasha (Software Developer)
- Priyanka (Platform Engineer)
- Sam (Security Analyst)
- Alex (Security Operations Engineer)
Proposal
- Update
piplock.Parse
so that it only adds a development dependency ifopts.IncludeDev
is true.
Documentation
- Update the documentation in Configuring specific analyzers used by dependency scanning to mention support for Pipenv projects.
Availability & Testing
-
Pipenv unit tests should be updated to include cases where the
IncludeDev
option is set to false. -
Pipenv integration tests should be updated to include cases where
DS_INCLUDE_DEV_DEPENDENCIES
is set tofalse
.
Implementation Plan
-
Update piplock.Parse
to add dependencies indocument.Develop
only ifopts.IncludeDev
istrue
.
Edited by Oscar Tovar