pip-audit icon indicating copy to clipboard operation
pip-audit copied to clipboard

Published 20 hours ago verified publisher icon pypa

Allow different output formats in parallel (e.g. for SBOM reports)

Open bittner opened this issue 1 year ago • 4 comments
trafficstars

Pre-submission checks

  • [X] I am not reporting a new vulnerability or requesting a new vulnerability identifier. These must be reported or managed via upstream dependency sources or services, not this repository.
  • [X] I agree to follow the PSF Code of Conduct.
  • [X] I have looked through the open issues for a duplicate request.

What's the problem this feature will solve?

When I run pip-audit in a CI job I love to have tabular output of the scanning results in the log output, but I also want to submit the results (e.g. SBOM reports in JSON or XML) to the CI service for integration in the PR/MR widget.

Currently, I have to run pip-audit twice. One run for the tabular output, another one to write the JSON or XML report.

Describe the solution you'd like

There are the --format and the --output options, which can only be used once (the last occurrence counts). It would cause a lot of trouble to redefine their behavior, hence new options are likely needed.

Two additional options --cyclonedx-xml=<filepath> and --cyclonedx-json=<filepath> could allow to use any format you like on the console, yet still save the CycloneDX SBOM report in XML and/or JSON.

Additional context

The proposed solution is inspired by Pytest's --junit-xml option.

bittner avatar Mar 29 '24 16:03 bittner

Thanks for the request @bittner! Something like this seems reasonable to me, and I've wanted a similar thing for gh-action-pip-audit as well.

As a design item: we want to minimize flag proliferation in pip-audit, since we want its CLI to (roughly) mirror pip's (and consequently be potentially easy to integrate into pip in the future). Having N flags for each permutation of (SBOM-format, serialization) isn't ideal for that 🙂

(I know this doesn't propose every permutation, but offering some permutations makes it harder to justify not adding others in the future.)

Given that, I think we maybe want to do something a little more magic like --cyclonedx=<filepath>.{xml,json}, where the suffix of filepath implies the generated format. OTOH, maybe that's too magical (and maybe unidiomatic for CycloneDX -- I don't know what their preferred file extensions actually are)

CCing @di for thoughts as well.

woodruffw avatar Mar 29 '24 18:03 woodruffw

we maybe want to do something a little more magic like --cyclonedx=<filepath>.{xml,json}

I like that proposal. Doesn't seem too magical to me, just needs to be explained explicitly in the usage.

bittner avatar Mar 30 '24 14:03 bittner

I like that proposal. Doesn't seem too magical to me, just needs to be explained explicitly in the usage.

Agreed. I'll give @di some time to chime in, but assuming that sounds reasonable to him I'd be happy to review a PR that adds that behavior :slightly_smiling_face:

woodruffw avatar Mar 30 '24 18:03 woodruffw

Seems fine to me!

di avatar Apr 01 '24 14:04 di