explicitly ignore (e.g. internal) libraries?

[davidszotten]

Thanks for a great tool!

Problem When using it at $work, the output is cluttered by a long list of all our internal libraries which are (correctly) skipped.

Describe the solution you'd like It would be nice if i could provide a list of packages to silently ignore

If this would be a useful feature and we can agree on a design i'd be interested in contributing a patch

[woodruffw]

Thanks for requesting this! I agree that it would be a useful feature to have.

cc @di for implementation thoughts. My first thought is that it probably makes sense to have some kind of per-project/same-directory configuration file that pip-audit could look for, but that might cause problems in terms of our plans to further integrate with pip itself. Another thought is a CLI option that can be passed to ignore a list of dependencies.

Another hiccup is that we'll probably need to be careful about how this functionality interacts with pip-audit -r -- ignoring dependencies will probably cause broken/impossible dependency resolution states, so it might be best to limit this feature to dependency sources that have already been fully resolved like the local (virtual) environment.

[tetsuo-cpp]

@woodruffw We could try looking for a pyproject.toml? But yeah, I imagine this will have to be left out of the pip integration.

[davidszotten]

as a first stab maybe we could have the flag only exclude libs from the _reports (which would solve my clutter issue)

[woodruffw]

Yeah, I think a pyproject.toml would be an "ideal" solution, but that we'll be treading down a painful path with splitting out our dependencies if we go that route (AFAIK, pip doesn't vendor a TOML parser yet).

as a first stab maybe we could have the flag only exclude libs from the _reports (which would solve my clutter issue)

Just to make sure I understand: what's the current clutter problem you're having? Is it that one of the output formats is too verbose when packages can't be publicly resolved, or is it a deluge of logging messages from pip-audit?

[davidszotten]

Just to make sure I understand: what's the current clutter problem you're having? Is it that one of the output formats is too verbose when packages can't be publicly resolved, or is it a deluge of logging messages from pip-audit?

It's the default console output. e.g. today i had a few vulnerabilities followed by 28 lines of [...] Dependency not found on PyPI and could not be audited [...]