Skip to content

Dependency Scanning fails to build Python apps because of missing tools and dependencies

I am investigating the possibilities of dependency check and switching to Enterprise version of Gitlab.

I found that dependency check for python projects is based on analysis of requirements.txt file. If it contains common entries like 'Werkzeug==0.12.1', 'numpy==1.13.3' and so on, all is fine. But if there are next entries in requirements.txt:

cx-Oracle==5.3
psycopg2==2.6.2
pymssql==2.1.3

the dependency check fails and exits. It is blocking factor for switching to enterprise version, because dependency check is broken by design.

docker run   --interactive --tty --rm   --volume "$PWD":/code   --volume /var/run/docker.sock:/var/run/docker.sock registry.gitlab.com/gitlab-org/security-products/dependency-scanning:10-8-stable  /code
EXECUTE: mkdir -p /app/bin
        curl https://gitlab.com/gitlab-org/security-products/binaries/raw/master/gemnasium-client/gemnasium-client-1.0.1 --output /app/bin/gemnasium
        chmod a+rx /app/bin/gemnasium
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 6949k  100 6949k    0     0   586k      0  0:00:11  0:00:11 --:--:--  292k
EXECUTE: [ ! -z "$(/app/bin/gemnasium search .)" ]
EXECUTE: /app/bin/gemnasium alerts . > /code/gl-sast-gemnasium.json
latest: Pulling from gitlab-org/security-products/binaries/gemnasium-client-python-generator
Digest: sha256:c33ab2878c3776e291353e4078adcf6684d844e2bc25153ee5f02be22752446a
Status: Image is up to date for registry.gitlab.com/gitlab-org/security-products/binaries/gemnasium-client-python-generator:latest
-----> Installing python-3.6.4
-----> Installing pip
-----> Installing requirements with pip
       Collecting airflow==1.8.0 (from -r /tmp/app/./requirements.txt (line 1))
         Downloading https://files.pythonhosted.org/packages/e7/ac/5f1ec362fc0695167d29b3c7b6f28d79898f1221e5a32ab1c6e651a55564/airflow-1.8.0.tar.gz (8.4MB)
       Collecting alembic==0.9.1 (from -r /tmp/app/./requirements.txt (line 2))
         Downloading https://files.pythonhosted.org/packages/97/00/3e6797a2e4209db69d23b223ae3148d5f3605dafba6a332670de7a12c147/alembic-0.9.1.tar.gz (999kB)
       Collecting amqp==2.1.4 (from -r /tmp/app/./requirements.txt (line 3))
         Downloading https://files.pythonhosted.org/packages/7e/4b/ac7afb11b57f237e3c1c64b5408c5d229bf5d4b42af6cb6e683c7690ca4f/amqp-2.1.4-py2.py3-none-any.whl (49kB)
       Collecting anyjson==0.3.3 (from -r /tmp/app/./requirements.txt (line 4))
         Downloading https://files.pythonhosted.org/packages/c3/4d/d4089e1a3dd25b46bebdb55a992b0797cff657b4477bc32ce28038fdecbc/anyjson-0.3.3.tar.gz
       Collecting appdirs==1.4.3 (from -r /tmp/app/./requirements.txt (line 5))
         Downloading https://files.pythonhosted.org/packages/56/eb/810e700ed1349edde4cbdc1b2a21e28cdf115f9faf263f6bbf8447c1abf3/appdirs-1.4.3-py2.py3-none-any.whl
       Collecting Babel==1.3 (from -r /tmp/app/./requirements.txt (line 6))
         Downloading https://files.pythonhosted.org/packages/33/27/e3978243a03a76398c384c83f7ca879bc6e8f1511233a621fcada135606e/Babel-1.3.tar.gz (3.4MB)
       Collecting bcrypt==3.1.2 (from -r /tmp/app/./requirements.txt (line 7))
         Downloading https://files.pythonhosted.org/packages/3f/72/980f6e49da4ee3b168b20551e76142ad44af12318ed7e2d42ac0fd134b95/bcrypt-3.1.2-cp36-cp36m-manylinux1_x86_64.whl (53kB)
       Collecting billiard==3.5.0.2 (from -r /tmp/app/./requirements.txt (line 8))
         Downloading https://files.pythonhosted.org/packages/af/56/90fd158263e324742fb0ac82f9e2650dbbc7f93a233d9e254021e5d35880/billiard-3.5.0.2-py3-none-any.whl (102kB)
       Collecting celery==3.1.23 (from -r /tmp/app/./requirements.txt (line 9))
         Downloading https://files.pythonhosted.org/packages/de/df/59f5df67082ef46b86bc754b82f8cf187b835eea8a56ea8907813e75ad6d/celery-3.1.23-py2.py3-none-any.whl (520kB)
       Collecting cffi==1.9.1 (from -r /tmp/app/./requirements.txt (line 10))
         Downloading https://files.pythonhosted.org/packages/f0/47/2b967857a94b01127742dec3ed5595a596358cfbb170be6e3e89efd6786d/cffi-1.9.1-cp36-cp36m-manylinux1_x86_64.whl (398kB)
       Collecting chartkick==0.4.2 (from -r /tmp/app/./requirements.txt (line 11))
         Downloading https://files.pythonhosted.org/packages/2f/ce/b3d286e42fe5becc242e1c0e1f5a2365fa08546dd28155493571babf56fd/chartkick-0.4.2.tar.gz
       Collecting click==6.7 (from -r /tmp/app/./requirements.txt (line 12))
         Downloading https://files.pythonhosted.org/packages/34/c1/8806f99713ddb993c5366c362b2f908f18269f8d792aff1abfd700775a77/click-6.7-py2.py3-none-any.whl (71kB)
       Collecting configparser==3.5.0 (from -r /tmp/app/./requirements.txt (line 13))
         Downloading https://files.pythonhosted.org/packages/7c/69/c2ce7e91c89dc073eb1aa74c0621c3eefbffe8216b3f9af9d3885265c01c/configparser-3.5.0.tar.gz
       Collecting croniter==0.3.16 (from -r /tmp/app/./requirements.txt (line 14))
         Downloading https://files.pythonhosted.org/packages/58/2a/17d003f2a9a0188cf9365d63b3351c6522b7d83996b70270c65c789e35b9/croniter-0.3.16.tar.gz
       Collecting cryptography==1.7.1 (from -r /tmp/app/./requirements.txt (line 15))
         Downloading https://files.pythonhosted.org/packages/82/f7/d6dfd7595910a20a563a83a762bf79a253c4df71759c3b228accb3d7e5e4/cryptography-1.7.1.tar.gz (420kB)
       Collecting cx-Oracle==5.3 (from -r /tmp/app/./requirements.txt (line 16))
         Downloading https://files.pythonhosted.org/packages/14/05/4d492fb049eeee24ff8b5fdf23c6240b81ef168d4039dfbf6629e022ba6b/cx_Oracle-5.3.tar.gz (129kB)
           Complete output from command python setup.py egg_info:
           Traceback (most recent call last):
             File "<string>", line 1, in <module>
             File "/tmp/pip-install-wff2m3v5/cx-Oracle/setup.py", line 174, in <module>
               raise DistutilsSetupError("cannot locate an Oracle software " \
           distutils.errors.DistutilsSetupError: cannot locate an Oracle software installation
           
           ----------------------------------------
       Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-install-wff2m3v5/cx-Oracle/
Could not install python packages for the repository at .
FATA[0063] Container exited with non zero exit code: 1  
/usr/local/lib/ruby/2.3.0/json/common.rb:156:in `initialize&#39;: A JSON text must at least contain two octets! (JSON::ParserError)
	from /usr/local/lib/ruby/2.3.0/json/common.rb:156:in `new&#39;
	from /usr/local/lib/ruby/2.3.0/json/common.rb:156:in `parse&#39;
	from /app/lib/analyzers/gemnasium.rb:58:in `block in analyze&#39;
	from /app/lib/analyzers/gemnasium.rb:53:in `chdir&#39;
	from /app/lib/analyzers/gemnasium.rb:53:in `analyze&#39;
	from /app/lib/analyzers/gemnasium.rb:37:in `execute&#39;
	from /app/lib/analyze.rb:22:in `issues&#39;
	from /app/lib/run.rb:10:in `initialize&#39;
	from /app/bin/run:7:in `new&#39;
	from /app/bin/run:7:in `<main>&#39;
Edited by Fabio Busatto