Skip to content

Fix scan failure when poetry project depends on setuptools or pip

Olivier Gonzalezrequested to merge
fix_missing_builtin_python_dependencies_in_poetry_lock into main

What does this MR do and why?

When a poetry.lock file is parsed, we loop through all declared dependencies and look for the [[package]] section that matches the referenced package.

Though, it appears that in some cases there is no such [[package]] entry for a declared dependency. This happens for instance for some built-in packages like setuptools and pip. See details in this discussion: gitlab-org/gitlab#570326 (comment 2752754181)

To address this and prevent the scan to fail, we now skip the error and continue when encountering this situation for setuptools and pip packages.

Related issues

DS analyzer fails for poetry.lock when referenc... (gitlab-org/gitlab#570326 - closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Edited by Olivier Gonzalez

Merge request reports