pip-audit icon indicating copy to clipboard operation
pip-audit copied to clipboard

Published 20 hours ago verified publisher icon pypa

Not display unpatched version

Open octavd opened this issue 3 years ago • 6 comments

Hello,

Is there a way to not display in the pip-audit output the python packages which are not fixed? Just like trivy, where if you use the parameter --ignore-unfixed it you can ignore until a fix will appear.

https://aquasecurity.github.io/trivy/v0.22.0/vulnerability/examples/filter/

octavd avatar Feb 24 '22 14:02 octavd

Is there a way to not display in the pip-audit output the python packages which are not fixed?

Just to make sure I understand: you want a flag that removes vulnerabilities from the output if there aren't any known fixes for them? Am I understanding that correctly?

If so, that shouldn't be very difficult to do (although we'd likely only support it for the "column" output format, since all other formats are manifest formats that dump everything).

cc @di for thoughts on whether this is worth supporting.

woodruffw avatar Feb 24 '22 14:02 woodruffw

(FWIW, you should be able to do something similar to this without any changes to pip-audit by using --format=json and filtering the results on your own).

woodruffw avatar Feb 24 '22 14:02 woodruffw

Is there a way to not display in the pip-audit output the python packages which are not fixed?

Just to make sure I understand: you want a flag that removes vulnerabilities from the output if there aren't any known fixes for them? Am I understanding that correctly?

If so, that shouldn't be very difficult to do (although we'd likely only support it for the "column" output format, since all other formats are manifest formats that dump everything).

cc @di for thoughts on whether this is worth supporting.

Hey! first of all, thank you for your reply. :) Secondly, indeed, if there aren't any known fixes for the python libraries, don't display them when using pip-audit. The same feature exists also in trivy tool.

octavd avatar Feb 24 '22 15:02 octavd

I think #209 is probably the right way to go about this. We don't want to provide a flag that will implicitly/silently ignore any potential vulnerability. Instead, the user should explicitly acknowledge/declare which audit failures are acceptable.

di avatar Feb 24 '22 16:02 di

Well, basically you are not ignoring the fix if it will appear. If there is actually no fix for the problem, just don't display (offer this parameter) and when this is eventually fix, even we will have this parameter, it will display and tell in which version this is changed.

octavd avatar Feb 24 '22 16:02 octavd

Right, the use case we're trying to avoid is if you have a dependency on a library that never implements a fix (for example, perhaps it is unmaintained), and you never find out about it. If you have a --ignore-unfixed flag, this could happen entirely without your knowledge.

Instead, if pip-audit starts failing on this library, and you have explicitly acknowledge that you're OK with the vulnerability to get it passing again, you're now aware that the vulnerability exists. Similarly, pip-audit can start failing if you're ignoring a result, but a fix is available, prompting you to move to the fixed version.

di avatar Feb 24 '22 17:02 di