From f025c6df22d48bd735458fc478b18d2235a715a2 Mon Sep 17 00:00:00 2001
From: Pytgaen <32298455+pytgaen@users.noreply.github.com>
Date: Fri, 5 Jul 2024 19:01:38 +0200
Subject: [PATCH] feat: remove unnecesary install when use poetry or pipenv

- trivy, sbom not install packages from project if use poetry, pipenv by take advantage of lockfile
---
 templates/gitlab-ci-python.yml | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/templates/gitlab-ci-python.yml b/templates/gitlab-ci-python.yml
index 87127f0..13a2548 100644
--- a/templates/gitlab-ci-python.yml
+++ b/templates/gitlab-ci-python.yml
@@ -1169,7 +1169,6 @@ py-trivy:
   dependencies: []
   script:
     - mkdir -p -m 777 reports
-    - install_requirements
     - |
       if [[ -z "$PYTHON_TRIVY_DIST_URL" ]]
       then
@@ -1190,15 +1189,17 @@ py-trivy:
         mv ./trivy $python_trivy
       fi  
     - |
-      if [[ "$PYTHON_BUILD_SYSTEM" == poetry* ]]
-      then
-        # When using Poetry, `pip freeze` outputs a requirements.txt with @file URLs for each wheel
-        # These @file URLs in requirements.txt are not supported by Trivy
-        # So instead of simply using pip freeze, we use `poetry export`
-        poetry export -f requirements.txt --without-hashes --output reports/requirements.txt
-      else
-        _pip freeze | tee ./reports/requirements.txt
-      fi
+      case "$PYTHON_BUILD_SYSTEM" in
+        poetry*|pipenv*)
+          log_info "$PYTHON_BUILD_SYSTEM build system (\\e[32muse lock file\\e[0m)"
+          cp poetry.lock Pipfile.lock ./reports 2>/dev/null || true
+          ;;
+        *)
+          log_info "$PYTHON_BUILD_SYSTEM build system used (\\e[32mmust generate pinned requirements.txt\\e[0m)"
+          install_requirements
+          _pip freeze | tee ./reports/requirements.txt
+          ;;
+      esac
       if [[ -f "./requirements.txt" ]]
       then
         sort -u ./requirements.txt | grep -v "^[  ]*$" > ./requirements.txt.sorted
@@ -1238,10 +1239,14 @@ py-sbom:
   needs: []
   script:
     - mkdir -p -m 777 reports
-    - install_requirements
     - |
       case "$PYTHON_BUILD_SYSTEM" in
-        setuptools*|reqfile)
+        poetry*|pipenv*)
+          log_info "$PYTHON_BUILD_SYSTEM build system (\\e[32muse lock file\\e[0m)"
+          ;;
+        *)
+          log_info "$PYTHON_BUILD_SYSTEM build system used (\\e[32mmust generate pinned requirements.txt\\e[0m)"
+          install_requirements
           _pip freeze > "${PYTHON_REQS_FILE}"
           ;;
       esac
-- 
GitLab