poetry.lock support for Dependency Scanning
Problem to solve
Add Python Poetry support to Dependency Scanning, parse and process Poetry lock files.
See #32774 for supporting Poetry projects having no lock file.
Poetry is a package manager and builder for Python, which is arguably better than pure pip. It generates
poetry.lock, a lock file that gives the full, accurate list of the package versions a Python project depends on. Dependency Scanning should leverage this lock file to detect and report vulnerable dependencies.
update analyzers/gemnasium, see gitlab-org/security-products/analyzers/gemnasium!23 (diffs)
add a parser for
poetry.lock(see sample file)
- update CI config to trigger QA job in test project
- add a parser for
- update the
gemnasiumdependency to make
- update the
- create python-poetry test project
- update Dependency Scanning documentation
Warning! gemnasium-python should not parse
*.egg/requires.txt in that case. This file is automatically generated by Poetry and is redundant with
poetry.lock. See #7006 (comment 226664512)
What does success look like, and how can we measure that?
Dependency Scanning CI job successfully process Poetry projects having a lock file instead of failing with "unsupported language or manager" error.