Support scanning for dependencies "locked" in a different Operating System other than Linux

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Proposal

Gemnasium python fails when it runs against a requirements.txt file that contains dependencies and their hashes, generated from a different OS other than Linux.

It seems the dependencies are pulled based on the jobs environment (Linux Runner), rather than the targeted environment e.g. windows.

Steps to reproduce:

1. run pip-compile --generate-hashes in a python project in windows.
2. A requirements.txt file with hashes is generated.
3. Run Dependency scanning with the requirements.txt file

Sample Requirements.txt file: https://gitlab.com/cmutua/requirements-hashes/-/blob/main/requirements.txt

Error/Logs:

ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:

PackageName>=x.y from https://files.pythonhosted.org/packages/ab/cd/<hash>/PackageName-x.y.z-py3-none-any.whl#sha256=<hash> (from keyring==x.y.z->-r requirements.txt (line 15))

Any attempt to fetch the dependencies before hand and sending the artifacts to the dependency scanning job still results in an error:

ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.