poetry.lock support for Dependency Scanning
Problem to solve
Add Python Poetry support to Dependency Scanning, parse and process Poetry lock files.
See #32774 for supporting Poetry projects having no lock file.
Poetry is a package manager and builder for Python, which is arguably better than pure pip. It generates
poetry.lock, a lock file that gives the full, accurate list of the package versions a Python project depends on. Dependency Scanning should leverage this lock file to detect and report vulnerable dependencies.
poetry.lockparser to gemnasium; see gitlab-org/security-products/analyzers/gemnasium!66 (merged)
- create python-poetry test project
poetry.lockparser into gemnasium-python, and leverage the python-poetry project for QA
- update Dependency Scanning documentation
What does success look like, and how can we measure that?
Dependency Scanning CI job successfully process Poetry projects having a lock file instead of failing with "unsupported language or manager" error.