WIP: Run pipdeptree in build job (!58) · Merge requests · GitLab.org / security-products / Tests / python-pip

Fabien Catteau requested to merge run-pipdeptree-in-build-job into no_dind-FREEZE Feb 21, 2020

Make the build job install and execute pipdeptree after installing the project dependencies using pip. The JSON output of pipdeptree is exposed as a job artifact, later on process by Gemnasium, in the gemnasium-dependency_scanning job.

It's not longer needed to build Python Wheels, and the dependencies are simply installed by running pip install -r requirements.txt.

DS_DEFAULT_ANALYZERS is forced to gemnasium to make sure gemnasium-python is not triggered.

The only parameter of the gemnasium-dependency_scanning job is updated so that the job is triggered even though it only contains Python code. The condition on $CI_PROJECT_REPOSITORY_LANGUAGES has been removed.

QA fails because it's as if the vulnerabilities had been found in pipdeptree.json, where in fact they come from requirements.txt. See QA job output.

Do not merge this! This MR is no more than an experiment. See gitlab-org/gitlab#13477 (comment 290831965).

Edited Apr 21, 2023 by 🤖 GitLab Bot 🤖

WIP: Run pipdeptree in build job

Merge request reports