Add Pipfile.lock support
What does this MR do?
Enable file parser for Pipfile.lock
Backward compatibility is maintained, and gemnasium-python is still able to scan a Pipenv project that has no lock file.
Warning! This change has two significant side-effects:
-
location
of the vulnerabilities changes. See diff in failing QA job. Vulnerability feedback will be lost. - The report contains the normalized names of the dependencies (those stored in
Pipfile.lock
), and not the canonical names. This affects the Dependency List but not dependency scanning itself.
Users can delete Pipfile.lock
prior to running the scan (in the before_script
) to restore the previous behavior. In the future, they might be able to achieve the same using DS_EXCLUDED_PATHS
, after implementing gitlab-org/gitlab#292457 (closed).
What are the relevant issue numbers?
gitlab-org/gitlab#11756 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary - covered by issue gitlab-org/gitlab#11756 (closed)
- [-] Documentation created/updated for this project, if necessary
- [-] Documentation reviewed by technical writer or follow-up review issue created
-
Tests added for this feature/bug -
Job definition updated, if necessary - covered by issue gitlab-org/gitlab#11756 (closed)
-
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Fabien Catteau