Question related to scanning specific package version

[jspeed-meyers]

Hey @RootLUG, hope you're well. Long time, no talk.

Question for you: Is it possible to scan a specific version of a package from PyPI without downloading it locally?

For instance, something like:

 docker run -ti --rm sourcecodeai/aura:dev scan pypi://requests:1.2.3 -f html > output.html

[RootLUG]

Hi @jspeed-meyers, This is actually already possible via a not-so-well documented feature. The uri format support putting restrictions via url parameters to filter what files should be downloaded/looked up by aura. You can filter for a specific version like this: aura scan "pypi://requests?release=2.18.1"

The quotes may or may not be needed around the uri depending on your shell. I just found out that the filter for version/release was not working correctly so I just pushed a bugfix, you would need to use the latest dev (/docker) version which has the fix.

On a related note, there is also already a limited support for filtering base on md5, sha1 or filename but this is not working for pypi uris and/or when entered via command line, would that be something of interest to get better filtering via uri parameters?

[RootLUG]

closing this issue as this is implemented and extended in latest dev version