WIP: Run pipdeptree in build job
Make the build
job install and execute pipdeptree after installing the project dependencies using pip. The JSON output of pipdeptree is exposed as a job artifact, later on process by Gemnasium, in the gemnasium-dependency_scanning
job.
It's not longer needed to build Python Wheels, and the dependencies are simply installed by running pip install -r requirements.txt
.
DS_DEFAULT_ANALYZERS
is forced to gemnasium
to make sure gemnasium-python
is not triggered.
The only
parameter of the gemnasium-dependency_scanning
job is updated so that the job is triggered even though it only contains Python code. The condition on $CI_PROJECT_REPOSITORY_LANGUAGES
has been removed.
QA fails because it's as if the vulnerabilities had been found in pipdeptree.json
, where in fact they come from requirements.txt
. See QA job output.
Do not merge this! This MR is no more than an experiment. See gitlab-org/gitlab#13477 (comment 290831965).