pip-audit icon indicating copy to clipboard operation
pip-audit copied to clipboard
verified publisher icon pypa

Support auditing sub-dependencies of individual projects

Open di opened this issue 4 years ago • 4 comments

As a project maintainer, I'd like to be able to use pip-audit to audit the sub-dependencies of my project (likely by somehow evaluating my local source tree prior to building a distribution artifact).

E.g., I maintain https://github.com/pypa/sampleproject, which depends on peppercorn. A CVE is released for some version of peppercorn, and I need to adjust my sub-dependency specification to avoid installing affected versions.

di avatar Oct 26 '21 17:10 di

We may choose to do this only via https://github.com/trailofbits/pip-audit/issues/83, or we may want to extend this to setup.cfg or non-static formats like setup.py.

di avatar Oct 26 '21 22:10 di

Let's evaluate supporting this in the context of pyproject.toml (#83).

woodruffw avatar Jan 11 '22 22:01 woodruffw

Command invocation for this would be something like

$ pip audit . $ pip audit /path/to/source/tree

di avatar Feb 08 '22 19:02 di

That makes sense!

Making sure that I understand the behavior here: how would we go about disambiguating the top-level project(s) from their sub-dependencies? Are you thinking that pip-audit . would behave similarly to pip install ., where we'd scan the target directory for Python packaging files (specifically, setup.py) and use those to distinguish the top-level package(s) from their dependencies?

woodruffw avatar Feb 08 '22 19:02 woodruffw