[BUG] Jake ddt does not honor Python virtual environments

[rofrano]

Describe the bug

I'm trying to scan for vulnerabilities in the dependencies of my Python application which runs in a Python virtual environment. Unfortunately, Jake is scanning the 210 Python packages installed on the server my application is running on which is not the environment that my application running in. So it is reporting on packages my application can't even see.

Can you make it so that Jake will only scan the packages returned by pip freeze? Or allow us to specify the folder of our virtual environment so that it only scans the packages in there?

To Reproduce Steps to reproduce the behavior:

1. Install a global Python package:

   sudo pip install Flask==2.2.2

2. Create a virtual environment and install Flask 1.1.4

   python3 -m venv venv
   source venv/bin/activate
   pip install Flask==1.1.4

3. Run flask --version to check that you are running Flask 1.1.4

   $ flask --version
   Python 3.6.9
   Flask 1.1.4
   Werkzeug 1.0.1

4. Run jake ddt and notice it reports on Flask 2.2.2 and not 1.1.4

   jake ddt

Report details:

[74/210] - Flask@2.2.2 [VULNERABLE]
Vulnerability Details for Flask@2.2.2                                                                                  
└── ⚠  ID: sonatype-2020-0201                                                                                          
    └── ╭─ sonatype-2020-0201 ────────────────────────────────────────────────────────────────────────────────────────╮
        │                                                                                                             │
        │ 1 vulnerability found                                                                                       │
        │ 1 non-CVE vulnerability found. To see more details, please create a free account at                         │
        │ https://ossindex.sonatype.org/ and request for this information using your registered account               │
        │                                                                                                             │
        │ Ratings:                                                                                                    │
        │    -  4.8 MEDIUM - Vector: AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N, CWEs: 699                                   │
        │                                                                                                             │
        │ References:                                                                                                 │
        │   - OSS Index [Ref: sonatype-2020-0201]                                                                     │
        │     URL: https://ossindex.sonatype.org/vulnerability/sonatype-2020-0201                                     │
        │                                                                                                             │
        ╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────╯

Expected behavior A clear and concise description of what you expected to happen.

I expect Jake to show the vulnerabilities in my active virtual environment which is Flask 1.1.4 but instead it shows the vulnerabilities in Flask 2.2.2 which isn't installed in my virtual environment and can't be used by my application running in that virtual environment.

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: Ubuntu 18.04
• Python Version: 3.6.9
• Version Jake 2.1.1

Additional context Add any other context about the problem here.

[rofrano]

Sorry to have opened this so quickly. It dawned on me that I installed jake globally and expected it to work in a virtual environment. When I installed it in the virtual environment instead, it correctly only saw the virtual environment and reported on Flask 1.1.4.

It might be good to mention this in the documentation. I'm closing this as solved.