woodruffw
commented
3 months ago Thanks for the request @bittner! Something like this seems reasonable to me, and I've wanted a similar thing for gh-action-pip-audit as well.
As a design item: we want to minimize flag proliferation in pip-audit, since we want its CLI to (roughly) mirror pip's (and consequently be potentially easy to integrate into pip in the future). Having N flags for each permutation of (SBOM-format, serialization) isn't ideal for that 🙂
(I know this doesn't propose every permutation, but offering some permutations makes it harder to justify not adding others in the future.)
Given that, I think we maybe want to do something a little more magic like --cyclonedx=<filepath>.{xml,json}, where the suffix of filepath implies the generated format. OTOH, maybe that's too magical (and maybe unidiomatic for CycloneDX -- I don't know what their preferred file extensions actually are)
CCing @di for thoughts as well.
bittner
di
Pre-submission checks
What's the problem this feature will solve?
When I run
pip-auditin a CI job I love to have tabular output of the scanning results in the log output, but I also want to submit the results (e.g. SBOM reports in JSON or XML) to the CI service for integration in the PR/MR widget.Currently, I have to run
pip-audittwice. One run for the tabular output, another one to write the JSON or XML report.Describe the solution you'd like
There are the
--formatand the--outputoptions, which can only be used once (the last occurrence counts). It would cause a lot of trouble to redefine their behavior, hence new options are likely needed.Two additional options
--cyclonedx-xml=<filepath>and--cyclonedx-json=<filepath>could allow to use any format you like on the console, yet still save the CycloneDX SBOM report in XML and/or JSON.Additional context
The proposed solution is inspired by Pytest's
--junit-xmloption.