pip-audit icon indicating copy to clipboard operation
pip-audit copied to clipboard
verified publisher icon pypa

Roadmap: integration into `pip` as `pip audit` subcommand

Open di opened this issue 3 years ago • 1 comments

This issue describes a potential roadmap for the integration of pip-audit into pip as a pip audit subcommand, as well as potential blockers.

This top-level comment will be edited as the roadmap is updated and progresses. Comments to this issue will describe progress on the roadmap for subscribers.

  • [x] Transfer this project to the PyPA
  • [ ] pip supports a vulnerability API that isn't the legacy JSON API
    • [x] initial support in pip for PEP 691: https://github.com/pypa/pip/pull/11158
    • [ ] new PEP to describe additional vulnerability fields for PEP 691
  • [ ] pip-audit supports PEP 691 + future PEP instead of legacy JSON API for PyPI
  • [ ] pip-api needs to support being vendored by pip and using internal pip API instead of CLI
    • [ ] https://github.com/di/pip-api/pull/138/
  • [ ] pip-audit needs to support being vendored by pip and 'mounted' as a subcommand
    • [ ] audit all our sub-dependencies and determine if we will introduce any new pip sub-dependencies, or if that can be avoided
    • [ ] a method to minimally restrict what parts of our command API are available via pip audit, which would allow us to slowly introduce existing pip-audit features into pip audit rather than all at once.
    • [ ] similar to the above: features that should not be part of the pip integration need to be marked and gated during vendoring, e.g. our current CycloneDX SBOM support
  • [ ] pip-audit and necessary dependencies are vendored into pip
  • [ ] new release of pip with support for pip audit

I think the core functionality we'll want to support is:

  • Auditing the local environment: pip audit
  • Auditing a requirements file: pip audit -r <filename>
  • Auditing a source tree for a Python project: pip audit .
  • Output in formats that pip currently supports (e.g. JSON, text/columns)

Things that pip-audit supports that pip audit may want to support eventually but don't need to be included in the initial release:

  • Automated fixing/remediation (--fix)
  • Output in formats that pip doesn't currently support (e.g. SBOM format)

Things that pip-audit supports that pip will likely never support:

  • Support for non-PEP 691 compliant APIs (e.g. legacy JSON, OSV)

di avatar Jul 25 '22 19:07 di

Added another sub-item to the "needs to support being vendored by pip" task to reflect that we need to completely "fuse off" some functionality, but otherwise this roadmap LGTM!

woodruffw avatar Jul 25 '22 20:07 woodruffw