Add virtual environment and cyclonedx sbom for setuptools
What does this MR do?
With this change, packages are not excluded from the scanning even though they are already part of the main environment (gemnasium-python/requirements.txt). As a side-effect both pip and setuptools will be present in the report.
Replaces the current /usr/local/bin/python3 setup.py install --user with the following:
# Create virtual environment
/usr/local/bin/python3 -m venv .venv
# Install packages into the virtual environment
env/bin/python3 -m pip install .
# Run pipdeptree into the virtual environment
/usr/local/bin/pipdeptree --python .venv/bin/python3 -e pip --jsonAfter the creation of the SBOM artefact, parsing from SBOM into deptree format was required in order to keep alignment with the existing logic.
| before | after |
|---|---|
| before_gl-sbom-pypi-setuptools.cdx.json | after_gl-sbom-pypi-setuptools.cdx.json |
What are the relevant issue numbers?
Related issue: gitlab-org/gitlab#355756 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Zamir Martins