Pipfile.lock support for Dependency Scanning

Problem to solve

Dependency Scanning for Python (gemnasium-python) supports pipenv via Pipfile, but the exact package versions listed in Pipfile.lock are ignored. As a result, the dependency list might be inaccurate, and vulnerabilities might not be reported.

See #299294 for native support of Pipfile.lock, without using pipend and without installing any project dependency.

Proposal

Support Pipfile.lock via pipenv, or make sure this is already supported.

Further details

gemnasium-python runs pipenv graph --json to export the dependency graph as a JSON document. This JSON doc is similar to the one pipdeptree creates. pipenv graph installs the project dependencies, and this might fail if the installed packages require a specific version of Python, or specific system libraries.

What does success look like, and how can we measure that?

Dependency Scanning accurately lists and scans the package versions listed in Pipfile.lock, and not the highest version in range when installing from Pipfile.

Links / references

Implementation plan

• Add branch to the pipenv test project, to prove Pipfile.lock support; see https://gitlab.com/gitlab-org/security-products/tests/python-pipenv/-/commits/pipfile-lock-FREEZE
• Add QA job to gemnasium-python to test Pipfile.lock support; see gitlab-org/security-products/analyzers/gemnasium-python!86 (merged)
• Update user docs; see !51445 (merged)

Product Management - @NicoleSchwartz

• Release Post

cc @NicoleSchwartz @gonzoyumo @plafoucriere