poetry.lock support for Dependency Scanning
Problem to solve
Add Python Poetry support to Dependency Scanning, parse and process Poetry lock files.
See #32774 for supporting Poetry projects having no lock file.
Further details
Poetry is a package manager and builder for Python, which is arguably better than pure pip. It generates poetry.lock, a lock file that gives the full, accurate list of the package versions a Python project depends on. Dependency Scanning should leverage this lock file to detect and report vulnerable dependencies.
Proposal
-
add
poetry.lockparser to gemnasium; see gitlab-org/security-products/analyzers/gemnasium!66 (merged) - create python-poetry test project
-
integrate the
poetry.lockparser into gemnasium-python, and leverage the python-poetry project for QA - update Dependency Scanning documentation
Availability & Testing
- re-enable the test project to be triggered by the orchestrator. see details here
What does success look like, and how can we measure that?
Dependency Scanning CI job successfully process Poetry projects having a lock file instead of failing with "unsupported language or manager" error.