Alex Cameron
Alex Cameron
This requires #70
> Wait, so `pip-audit` runs `pip install` on each package provided by `-r`? ([I think the code that does so is here](https://github.com/trailofbits/pip-audit/blob/9b0afe496b56c01326888f914f4575b9393d144a/pip_audit/_virtual_env.py#L15)) Obviously `pip install` would have been run by...
> As a thought on improving this: @tetsuo-cpp what do you think about trying to share virtual environments between packages, whenever we need to fall back to source distributions? I...
@woodruffw But if you keep packages installed on the virtual environment, isn't your `pip list` output going to get cluttered by other packages? That data ends up being fed into...
My bad, I misread this issue. Looks like we want to keep this open until a follow up PR to catch the `VirtualEnvError` and add some user friendly error message.
I think `syft` could be really useful for us. It has quite a bit of functionality for both container images and filesystems and supports a bunch of different language ecosystems....
Thinking about how this compares to the alternatives: ### Other options I'll keep an eye out but I wasn't able to find anything that fits the bill. [Tern](https://github.com/tern-tools/tern) is interesting...
Thanks for the report @Lewiscowles1986. The `-l` flag is meant to be modelled after `pip list -l` which filters out system packages when being run within a virtual environment. I...
My bad, I parsed this wrong. You're right, I wouldn't expect `pip-audit` to pick up globally installed packages with the `-l` flag. Let me try to reproduce this myself.
@woodruffw I can't seem to reproduce this, could you give it a try? In order for my virtualenv to "inherit" the system packages, I need to create it with `--system-site-packages`....