`pip` integration: figure out feature gating in `pip-audit` - Githubissues

pypa / pip-audit

Audits Python environments, requirements files and dependency trees for known security vulnerabilities, and can automatically fix them

https://pypi.org/project/pip-audit/

Apache License 2.0

960 stars 63 forks source link

`pip` integration: figure out feature gating in `pip-audit` #336

Open woodruffw opened 2 years ago

woodruffw commented 2 years ago

Breakout from https://github.com/trailofbits/pip-audit/issues/335: we need to design an ergonomic "feature gate" scheme for pip-audit, to handle the following deployments:

python -m pip install pip-audit (and all third-party packages): support for SBOM generation, the OSV vulnerability service, etc.
pip audit: no support for -s osv, --format=spdx-..., etc.

Some ideas:

If "default" extras were possible, we could define osv and spdx extras that pip install would activate by default. Unfortunately, default extras are currently not possible.
We could probably get away with a single feature flag, something like pip_audit.VENDORED_INTO_PIP, which we then just use to remove a handful of CLI options and prevent importing pip_audit._format.cyclonedx.

di commented 2 years ago

In https://github.com/di/pip-api/pull/138/ I made a pip_api.VENDORED flag, I would imagine we would do something similar here and could gate functionality on that. I'm not sure it needs to be specific to who has vendored us.