search

pypa / pip-audit

Audits Python environments, requirements files and dependency trees for known security vulnerabilities, and can automatically fix them
https://pypi.org/project/pip-audit/
Apache License 2.0
942 stars 62 forks source link

Support pip-audit configuration from pyproject.toml #694

Open dnovvak opened 7 months ago

dnovvak commented 7 months ago

Is your feature request related to a problem? Please describe.

Yes, having a single CI workflow for multiple repositories we cannot easily ignore vulnerabilities affecting single repository only. Also specifying extra indexes per repository is severely hampered here.

Describe the solution you'd like

With pip-audit configuration in pyproject.toml we could specify custom settings just on single repository level having the CI untouched (CI is executing always poetry run pip-audit).

For example:

# pyproject.toml

[tool.pip-audit]
ignore-vuln = [
    "CVE-TO-IGNORE",
]
extra-index-url = [
    "https://my-pypi.com/simple",
]

Describe alternatives you've considered

Using another tool.

Additional context

The most used code quality tools for python support configuration from pyproject.toml. For example:

So I wonder that the official tool from PyPA does not follow community standards.

di commented 7 months ago

So I wonder that the official tool from PyPA does not follow community standards.

This is mostly a volunteer-run project, it just hasn't been implemented yet. I think we're all likely in favor of this.

woodruffw commented 7 months ago

To add on to what @di said: it's not that we don't follow community standards, but that pip-audit simply does not have any configuration file at the moment.

There are a number of complexities involved in adding one, such as determining how best to interoperate with pip's own configuration; see https://github.com/pypa/pip-audit/issues/193 for some details on that.

dnovvak commented 7 months ago

Thank you for adding some context to that @di @woodruffw!

I just saw that a few issues mention pyproject.toml as a possible resolution but it wasn't clear whether it's on your roadmap and couldn't find any ticket discussing this feature as a whole.

By the way, are you able to say something about the priority of this feature?

woodruffw commented 7 months ago

By the way, are you able to say something about the priority of this feature?

It's not an immediate priority I believe, but I think we'd be happy to review a PR that makes these changes.

But before that, there should be some discussion on this issue about what the scope of the configuration will be:

  1. Will there be settings the mirror each of pip-audit's flags, or only some?
  2. Will there be settings that conflict with/take precedence over things in pip.conf?
  3. How should we handle discovery, i.e. should we only load from $CWD or keep walking up directories until we hit a pyproject.toml?
  4. How should we allow configuration for projects that don't use pyproject.toml, if we want to support this?
albertodiazdorado commented 2 months ago

I'd love if this was part of pip-audit :)

woodruffw commented 2 months ago

I believe https://github.com/pypa/pip-audit/issues/694#issuecomment-1802672585 covers the preconditions for this feature. We're interested in hearing from users about each of the bullets in that comment.