gemnasium-python fails: vrange/python incompatible with packaging v22.0

Summary

When scanning a python project that uses pip, the scan will start but will exit with error code 1 and no error message.

Impacted Images

Default Image: registry.gitlab.com/security-products/gemnasium-python@sha256:217eed32cf5200a92dcc1819dadc3e8c8e04742043b59986969465e738db3ea3

FIPS Image: registry.gitlab.com/gitlab-org/security-products/analyzers/integration-test@sha256:0734e4bcff9a1a9579c916c0661b666f59b184124d447ab741c5d5ef6c17142e

Steps to reproduce

1. Setup test python-pip project.

2. Run dependency scanning on project

   docker run --rm -it -v </PATH/TO/PROJECT>:/app -w /app -e SECURE_LOG_LEVEL=debug /analyzer run

3. Observe that the analyzer exits with exit code 1 and a report is not generated.

Example Project

https://gitlab.com/gitlab-org/security-products/tests/python-pip

What is the current bug behavior?

A report is not generated.

What is the expected correct behavior?

A report should be generated or an error message given along with the exit code.

Relevant logs and/or screenshots

• https://gitlab.com/tech-marketing/devsecops/initech/simple-notes/-/jobs/3447285619
• https://gitlab.com/gitlab-org/security-products/tests/python-pip/-/jobs/3447363586#L45

Possible fixes

The analyzer is having trouble installing Pillow here.

Workaround

The release of packaging 22.0 which is used to detect the version range of Python dependencies includes a breaking change. If you are impacted by this, you can temporarily pin the version by setting the following in a requirements.txt file: packaging<=21.3.