Dependency scanning for Python should support files other than just requirements.txt

Problem to solve

Our teams use requirements files that can be named like: build-requirements.txt, test-requirements.txt, docs-requirements.txt, py2-requirements.txt, requirements/production.txt, and so on. These seem to be impossible to scan with dependency scanning currently.

Further details

Proposal

Add a way to specify all the requirements files from a repo. Not sure how, exactly.

Implementation plan

Update gemnasium-python analyzer to use the PIP_REQUIREMENTS_FILE (To be confirmed) env variable and use it as the source of dependencies to scan.
Update the vendored template Dependency-Scanning.gitlab-ci.yml to pass this variable down from the job to the analyzer

Documentation

Add this new option to https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html#available-variables. It might be worth splitting analyzer specific VARS as we've done for SAST: https://docs.gitlab.com/ee/user/application_security/sast/index.html#analyzer-settings

Testing

This can be tested against our python-pip test projects (there might be others too).

What does success look like, and how can we measure that?

A repo that installs requests=~2.0.0 as specified in any.txt should have a security issue reported by gitlab.

Links / references

Product

release post

Edited Dec 13, 2019 by Igor Frenkel