Consider replacing pipdeptree in gemnasium-python
gemnasium-python, our dependency-scanning analyzer for Python, requires to install packages, so pipdeptree can be launched and report a dependency tree JSON report.
While this will work in many cases, and without any configuration from the user, it will also introduce some issues. Some packages require a specific environment to be installed: a specific version of Python, or some system libraries. In the end, Dependency Scanning in real-world projects often fails because we can't predict these environments.
The exact same issue occurs in License Compliance because packages are always installed, even if it was already done in a previous job and passed and artifacts.
Nevertheless, we need better python support in Dependency Scanning, and we can consider several improvements:
- Detect if packages are already installed, and skip this step
- Get rid of
pipdeptree
and create the tree ourselves just by downloading the packages.
Other ideas are welcome