Build a simple standalone audit tool

[oliverchang]

Build a simple standalone audit tool which just queries https://osv.dev with the list of installed packages.

Once pypi/warehouse#9407 is merged and vulnerabilities are returned in the simple JSON API, we can switch that that instead.

[twu]

👋 First of all, I'm super excited about the work/features discussed in pypi/warehouse#9407. I really hope with all those major players involved this gets the attention that it deserves. Thank you! :)

Regarding this issue. I wrote a little tool a while ago called skjold that I use to check my dependencies. I recently added support for both this database (-s pypa) and calling the OSV.dev API directly (-s osv). It hopefully fully supports ECOSYSTEM and SEMVER according to the API specification.

pip install skjold

echo "urllib3==1.23" | skjold audit -s osv -

skjold audit -s osv requirements.txt
skjold audit -s osv Pipenv.lock
skjold audit -s osv poetry.lock

The only difference between the osv and pypa source is that the latter supports local caching. Let me know what you think 🙇

[oliverchang]

Hey, that looks awesome. Thanks for reaching out and letting us know about this one!

I wonder if we might be able to reuse part or all of what you have to build a more officially supported pip-audit tool? @di for thoughts as well.

[di]

This is effectively done with the current release of https://pypi.org/project/pip-audit/, which is still under development. I'll close this issue in favor of more detailed issues at https://github.com/trailofbits/pip-audit/issues.