Recognize and support pip lock files in Dependency Scanning
Problem to solve
Follow-up issue of #33034 (closed) Dependency Scanning currently requires to install all dependencies in Python projects, in order to create the dependency tree. This brings a lot of issues with regards to Python environments.
Intended users
Further details
See #33034 (closed) for details and discussions.
Proposal
We agreed in #33034 (comment 225887240) to detect and support lock files, and let users specify the name of the files if needed. That way, we don't need to inject gemnasium-python. To recap the decision:
Dependency Scanning will recognize multiple names out of the box, like requirements.lock
and requirements-lock.txt
, to be complemented or overridden with PYTHON_DEPENDENCY_LOCK_FILES
- a comma-separated list of names. We can also name it PIP_FREEZE_FILES
, or PIP_LOCK_FILES
.
TO BE DECIDED.
When present, these files will be parsed directly, without the need to install any python dependency.
Permissions and Security
N/A
Documentation
https://docs.gitlab.com/ee/user/project/merge_requests/dependency_scanning.html will be updated to document this behavior.
Testing
TODO
What does success look like, and how can we measure that?
More python project supported out of the box. More flexibility for users.
What is the type of buyer?
Links / references
/cc @NicoleSchwartz and @gonzoyumo for prioritazation /cc @fcatteau