pip-audit icon indicating copy to clipboard operation
pip-audit copied to clipboard

Published 20 hours ago verified publisher icon pypa

Feature: Log ignored vulnerabilities to markdown output

Open PhorstenkampFuzzy opened this issue 7 months ago • 6 comments

Pre-submission checks

  • [x] I am not reporting a new vulnerability or requesting a new vulnerability identifier. These must be reported or managed via upstream dependency sources or services, not this repository.
  • [x] I agree to follow the PSF Code of Conduct.
  • [x] I have looked through the open issues for a duplicate request.

What's the problem this feature will solve?

We are currently using the markdown report in our build chain and include such reports into our documentaiton. Those reports currently do not include the ignored vulnerabilities.

Describe the solution you'd like

Please add a section on ignored vulnerabilities in the markdown report.

Additional context

No response

PhorstenkampFuzzy avatar Apr 17 '25 09:04 PhorstenkampFuzzy

Hi @PhorstenkampFuzzy, thanks for opening an issue.

Making sure I understand: are you asking for the markdown to contain ignored vulnerabilities, or skipped dependencies? The latter isn't currently included, unlike some of the other formats, while the former isn't included in any output formats (because it would be just a direct pass-through of the --ignore-vuln CLI option).

woodruffw avatar Apr 17 '25 14:04 woodruffw

I would ask for ignore-vuln maybe with an assosiation of the effected packages. So kind of an risk agnolagement in the md file.

PhorstenkampFuzzy avatar Apr 17 '25 14:04 PhorstenkampFuzzy

I am willing and probably abel to impelment this if it is something that is deemed of value by the maintainer / developer comunity of this project.

PhorstenkampFuzzy avatar Apr 17 '25 16:04 PhorstenkampFuzzy

I'm not opposed to this per se, but I think it'll have to go with a larger re-thinking of the output layer within pip-audit: right now output formats are driven by the VulnerabilityFormat interface, which doesn't include ignore information. More generally, I don't think we currently plumb ignores anywhere through the output layers -- ignoring is currently done as a post-processing step after the audit service.

TL;DR: I appreciate the offer to contribute, but I want to think about this some more before I say we want it -- it makes sense to expose this data, but I think we should do it in a way that works for all of the output formats, which in turn has larger refactoring implications.

woodruffw avatar Apr 17 '25 18:04 woodruffw

Hence me talking before doing.

PhorstenkampFuzzy avatar Apr 18 '25 10:04 PhorstenkampFuzzy

Maybe discuess it with the other maintainers. As stated, I am willing to help.

philipp-horstenkamp avatar Apr 21 '25 13:04 philipp-horstenkamp