Add dependency scanning for Python projects that use pyproject.toml
Release notes
Dependency scanning now supports Python projects that use a pyproject.toml
to specify their dependencies.
The pyproject.toml
specification was adopted in PEP 621 as the canonical source for project packaging.i
Problem to solve
Python packaging has started to shift towards using the pyproject.toml
file for
specifying the project's metadata, dependencies, and build information. Adding
support for this specification will broaden the support of the gemnasium-python
analyzer, and in the future CycloneDX SBoM generators. Additionally, this provides
a stable scan target for dependency scanning. Historically, the package management
ecosystem has been fragmented, which in turn has made it difficult to support the
various package managers within Gemnasium. With this addition, we shoud in theory
have support for the following package managers:
Related links
Proposal
If a Python project has dependency scanning enabled, and it contains a pyproject.toml
file,
dependency scanning should identify the build-system used, and produce a list of components
used by the project.
Intended users
Feature Usage Metrics
TODO
Implementation Plan
TODO
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.