Open davidszotten opened 2 years ago
Thanks for requesting this! I agree that it would be a useful feature to have.
cc @di for implementation thoughts. My first thought is that it probably makes sense to have some kind of per-project/same-directory configuration file that pip-audit
could look for, but that might cause problems in terms of our plans to further integrate with pip
itself. Another thought is a CLI option that can be passed to ignore a list of dependencies.
Another hiccup is that we'll probably need to be careful about how this functionality interacts with pip-audit -r
-- ignoring dependencies will probably cause broken/impossible dependency resolution states, so it might be best to limit this feature to dependency sources that have already been fully resolved like the local (virtual) environment.
@woodruffw We could try looking for a pyproject.toml
? But yeah, I imagine this will have to be left out of the pip
integration.
as a first stab maybe we could have the flag only exclude libs from the _reports (which would solve my clutter issue)
Yeah, I think a pyproject.toml
would be an "ideal" solution, but that we'll be treading down a painful path with splitting out our dependencies if we go that route (AFAIK, pip
doesn't vendor a TOML parser yet).
as a first stab maybe we could have the flag only exclude libs from the _reports (which would solve my clutter issue)
Just to make sure I understand: what's the current clutter problem you're having? Is it that one of the output formats is too verbose when packages can't be publicly resolved, or is it a deluge of logging messages from pip-audit
?
Just to make sure I understand: what's the current clutter problem you're having? Is it that one of the output formats is too verbose when packages can't be publicly resolved, or is it a deluge of logging messages from
pip-audit
?
It's the default console output. e.g. today i had a few vulnerabilities followed by 28 lines of
[...] Dependency not found on PyPI and could not be audited [...]
Thanks for a great tool!
Problem When using it at $work, the output is cluttered by a long list of all our internal libraries which are (correctly) skipped.
Describe the solution you'd like It would be nice if i could provide a list of packages to silently ignore
If this would be a useful feature and we can agree on a design i'd be interested in contributing a patch