Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

explicitly ignore (e.g. internal) libraries? #209

Open
davidszotten opened this issue Jan 6, 2022 · 5 comments
Open

explicitly ignore (e.g. internal) libraries? #209

davidszotten opened this issue Jan 6, 2022 · 5 comments
Labels
enhancement New feature or request

Comments

@davidszotten
Copy link

Thanks for a great tool!

** Problem **
When using it at $work, the output is cluttered by a long list of all our internal libraries which are (correctly) skipped.

Describe the solution you'd like
It would be nice if i could provide a list of packages to silently ignore

If this would be a useful feature and we can agree on a design i'd be interested in contributing a patch
@davidszotten davidszotten added the enhancement New feature or request label Jan 6, 2022
@woodruffw
Copy link
Member

Thanks for requesting this! I agree that it would be a useful feature to have.

cc @di for implementation thoughts. My first thought is that it probably makes sense to have some kind of per-project/same-directory configuration file that pip-audit could look for, but that might cause problems in terms of our plans to further integrate with pip itself. Another thought is a CLI option that can be passed to ignore a list of dependencies.

Another hiccup is that we'll probably need to be careful about how this functionality interacts with pip-audit -r -- ignoring dependencies will probably cause broken/impossible dependency resolution states, so it might be best to limit this feature to dependency sources that have already been fully resolved like the local (virtual) environment.

@woodruffw woodruffw mentioned this issue Jan 7, 2022
Open
@tetsuo-cpp
Copy link
Contributor

@woodruffw We could try looking for a pyproject.toml? But yeah, I imagine this will have to be left out of the pip integration.

@davidszotten
Copy link
Author

as a first stab maybe we could have the flag only exclude libs from the _reports (which would solve my clutter issue)

@woodruffw woodruffw mentioned this issue Jan 7, 2022
Closed
@woodruffw
Copy link
Member

Yeah, I think a pyproject.toml would be an "ideal" solution, but that we'll be treading down a painful path with splitting out our dependencies if we go that route (AFAIK, pip doesn't vendor a TOML parser yet).

as a first stab maybe we could have the flag only exclude libs from the _reports (which would solve my clutter issue)

Just to make sure I understand: what's the current clutter problem you're having? Is it that one of the output formats is too verbose when packages can't be publicly resolved, or is it a deluge of logging messages from pip-audit?

@davidszotten
Copy link
Author

Just to make sure I understand: what's the current clutter problem you're having? Is it that one of the output formats is too verbose when packages can't be publicly resolved, or is it a deluge of logging messages from pip-audit?

It's the default console output. e.g. today i had a few vulnerabilities followed by 28 lines of
[...] Dependency not found on PyPI and could not be audited [...]

@tetsuo-cpp tetsuo-cpp mentioned this issue Feb 8, 2022
Closed
This was referenced Feb 24, 2022
Open
Closed
@dgutson dgutson mentioned this issue Dec 1, 2022
Closed
@woodruffw woodruffw mentioned this issue Sep 25, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@davidszotten @woodruffw @tetsuo-cpp