Allow gemnasium-python to report setuptools and pip direct dependencies
Proposal
In gitlab-org/security-products/analyzers/gemnasium!719 (comment 1903136298), we had to make a decision
on whether to keep pip
and setuptools
dependencies in the final dependency scanning result. Both options, inclusion and exclusion,
had tradeoffs for our customers. If we kept them included, then we'd incorrectly report them, and any vulnerabilities, as part of the
scanned project. This is incorrect because the dependencies will mostly appear because they're needed to set up the virtual environment
with the project's dependencies. This is mostly the case, but not always. Edge cases exist where a project may legitimately need
depend on pip
and/or setuptools
like in the case of pip-tools
. For these edge cases, we'll unfortunately not report the dependency
or any related vulnerabilities, a shortcoming that should be addressed.