Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Roadmap: integration into pip as pip audit subcommand #335

Open
2 of 13 tasks
di opened this issue Jul 25, 2022 · 1 comment
Open
2 of 13 tasks

Roadmap: integration into pip as pip audit subcommand #335

di opened this issue Jul 25, 2022 · 1 comment
Labels
roadmap

Comments

@di
Copy link
Member

di commented Jul 25, 2022
edited by woodruffw
Loading

This issue describes a potential roadmap for the integration of pip-audit into pip as a pip audit subcommand, as well as potential blockers.

This top-level comment will be edited as the roadmap is updated and progresses. Comments to this issue will describe progress on the roadmap for subscribers.

  • Transfer this project to the PyPA
  • pip supports a vulnerability API that isn't the legacy JSON API
  • pip-audit supports PEP 691 + future PEP instead of legacy JSON API for PyPI
  • pip-api needs to support being vendored by pip and using internal pip API instead of CLI
  • pip-audit needs to support being vendored by pip and 'mounted' as a subcommand
    • audit all our sub-dependencies and determine if we will introduce any new pip sub-dependencies, or if that can be avoided
    • a method to minimally restrict what parts of our command API are available via pip audit, which would allow us to slowly introduce existing pip-audit features into pip audit rather than all at once.
    • similar to the above: features that should not be part of the pip integration need to be marked and gated during vendoring, e.g. our current CycloneDX SBOM support
  • pip-audit and necessary dependencies are vendored into pip
  • new release of pip with support for pip audit

I think the core functionality we'll want to support is:

  • Auditing the local environment: pip audit
  • Auditing a requirements file: pip audit -r <filename>
  • Auditing a source tree for a Python project: pip audit .
  • Output in formats that pip currently supports (e.g. JSON, text/columns)

Things that pip-audit supports that pip audit may want to support eventually but don't need to be included in the initial release:

  • Automated fixing/remediation (--fix)
  • Output in formats that pip doesn't currently support (e.g. SBOM format)

Things that pip-audit supports that pip will likely never support:

  • Support for non-PEP 691 compliant APIs (e.g. legacy JSON, OSV)
@di di added the roadmap label Jul 25, 2022
@di di mentioned this issue Jul 25, 2022
Closed
@woodruffw
Copy link
Member

Added another sub-item to the "needs to support being vendored by pip" task to reflect that we need to completely "fuse off" some functionality, but otherwise this roadmap LGTM!

@woodruffw woodruffw mentioned this issue Jul 26, 2022
Open
@woodruffw woodruffw mentioned this issue Aug 2, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
roadmap
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@di @woodruffw