gemnasium-python fails: vrange/python incompatible with packaging v22.0
Summary
When scanning a python project that uses pip, the scan will start but will exit with error code 1
and no error message.
Impacted Images
Default Image: registry.gitlab.com/security-products/gemnasium-python@sha256:217eed32cf5200a92dcc1819dadc3e8c8e04742043b59986969465e738db3ea3
FIPS Image: registry.gitlab.com/gitlab-org/security-products/analyzers/integration-test@sha256:0734e4bcff9a1a9579c916c0661b666f59b184124d447ab741c5d5ef6c17142e
Steps to reproduce
-
Setup test python-pip project.
-
Run dependency scanning on project
docker run --rm -it -v </PATH/TO/PROJECT>:/app -w /app -e SECURE_LOG_LEVEL=debug /analyzer run
-
Observe that the analyzer exits with exit code 1 and a report is not generated.
Example Project
https://gitlab.com/gitlab-org/security-products/tests/python-pip
What is the current bug behavior?
A report is not generated.
What is the expected correct behavior?
A report should be generated or an error message given along with the exit code.
Relevant logs and/or screenshots
- https://gitlab.com/tech-marketing/devsecops/initech/simple-notes/-/jobs/3447285619
- https://gitlab.com/gitlab-org/security-products/tests/python-pip/-/jobs/3447363586#L45
Possible fixes
The analyzer is having trouble installing Pillow here.
Workaround
The release of packaging 22.0 which is used to detect the version range of Python dependencies includes a breaking change. If you are impacted by this, you can temporarily pin the version by setting the following in a requirements.txt file: packaging<=21.3
.