poetry.lock support for Dependency Scanning
Issue is currently blocked. See comment
Problem to solve
Add Python Poetry support to Dependency Scanning, parse and process Poetry lock files.
See #32774 for supporting Poetry projects having no lock file.
Further details
Poetry is a package manager and builder for Python, which is arguably better than pure pip. It generates poetry.lock, a lock file that gives the full, accurate list of the package versions a Python project depends on. Dependency Scanning should leverage this lock file to detect and report vulnerable dependencies.
Proposal
-
add
poetry.lockparser to gemnasium; see gitlab-org/security-products/analyzers/gemnasium!66 (merged) - create python-poetry test project
-
integrate the
poetry.lockparser into gemnasium-python, and leverage the python-poetry project for QA - update Dependency Scanning documentation
What does success look like, and how can we measure that?
Dependency Scanning CI job successfully process Poetry projects having a lock file instead of failing with "unsupported language or manager" error.