Support Pipfile.lock in Dependency Scanning
Problem to solve
Pipfile.lock support to Dependency Scanning (Gemnasium analyzer), making it possible to scan Python with dependencies that cannot be installed in the context of the
gemnasium-python Docker image.
Dependency Scanning is already compatible with Pipenv and can thus process the
Pipfile of a Python project; this has been introduced in gitlab-org/security-products/analyzers/gemnasium-python!6 (merged). But Pipenv compatibility is achieved by installing the project dependencies using
pipenv, and the installation will fail if
gemnasium-python (the Docker image Gemnasium Python is based) on doesn't meet all the project requirements (system libraries, specific version of Python, etc.). Later on gitlab-org/security-products/analyzers/gemnasium-python!11 (merged) was introduced to mitigate this limitation, but it doesn't cover all the edge cases. cc @theoretick
- Add a
Pipfile.lockparser to analyzers/gemnasium
- Ensure gemnasium-python ignores projects having a
Pipfile.lockwhile still handling projects with a
What does success look like, and how can we measure that?
Less failing DS jobs for Python projects, more Python projects being scanned.
Links / references
Pipfile.lockparser to gemnasium #33227 (closed)
Ensure gemnasium-python ignore projects with
- Introduce parser to orchestrator https://gitlab.com/gitlab-org/security-products/dependency-scanning