Support scanning for dependencies "locked" in a different Operating System other than Linux
Proposal
Gemnasium python fails when it runs against a requirements.txt
file that contains dependencies and their hashes, generated from a different OS other than Linux.
It seems the dependencies are pulled based on the jobs environment (Linux Runner), rather than the targeted environment e.g. windows.
Steps to reproduce:
- run
pip-compile --generate-hashes
in a python project in windows. - A
requirements.txt
file with hashes is generated. - Run Dependency scanning with the
requirements.txt
file
Sample Requirements.txt file: https://gitlab.com/cmutua/requirements-hashes/-/blob/main/requirements.txt
Error/Logs:
ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
PackageName>=x.y from https://files.pythonhosted.org/packages/ab/cd/<hash>/PackageName-x.y.z-py3-none-any.whl#sha256=<hash> (from keyring==x.y.z->-r requirements.txt (line 15))
Any attempt to fetch the dependencies before hand and sending the artifacts to the dependency scanning job still results in an error:
ERROR: THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
Edited by Christopher Mutua