Open bittner opened 3 months ago
Thanks for the request @bittner! Something like this seems reasonable to me, and I've wanted a similar thing for gh-action-pip-audit
as well.
As a design item: we want to minimize flag proliferation in pip-audit
, since we want its CLI to (roughly) mirror pip
's (and consequently be potentially easy to integrate into pip
in the future). Having N
flags for each permutation of (SBOM-format, serialization)
isn't ideal for that 🙂
(I know this doesn't propose every permutation, but offering some permutations makes it harder to justify not adding others in the future.)
Given that, I think we maybe want to do something a little more magic like --cyclonedx=<filepath>.{xml,json}
, where the suffix of filepath
implies the generated format. OTOH, maybe that's too magical (and maybe unidiomatic for CycloneDX -- I don't know what their preferred file extensions actually are)
CCing @di for thoughts as well.
we maybe want to do something a little more magic like
--cyclonedx=<filepath>.{xml,json}
I like that proposal. Doesn't seem too magical to me, just needs to be explained explicitly in the usage.
I like that proposal. Doesn't seem too magical to me, just needs to be explained explicitly in the usage.
Agreed. I'll give @di some time to chime in, but assuming that sounds reasonable to him I'd be happy to review a PR that adds that behavior :slightly_smiling_face:
Seems fine to me!
Pre-submission checks
What's the problem this feature will solve?
When I run
pip-audit
in a CI job I love to have tabular output of the scanning results in the log output, but I also want to submit the results (e.g. SBOM reports in JSON or XML) to the CI service for integration in the PR/MR widget.Currently, I have to run
pip-audit
twice. One run for the tabular output, another one to write the JSON or XML report.Describe the solution you'd like
There are the
--format
and the--output
options, which can only be used once (the last occurrence counts). It would cause a lot of trouble to redefine their behavior, hence new options are likely needed.Two additional options
--cyclonedx-xml=<filepath>
and--cyclonedx-json=<filepath>
could allow to use any format you like on the console, yet still save the CycloneDX SBOM report in XML and/or JSON.Additional context
The proposed solution is inspired by Pytest's
--junit-xml
option.