Not display unpatched version

[octavd]

Hello,

Is there a way to not display in the pip-audit output the python packages which are not fixed?
Just like trivy, where if you use the parameter --ignore-unfixed it you can ignore until a fix will appear.

https://aquasecurity.github.io/trivy/v0.22.0/vulnerability/examples/filter/

[woodruffw]

Is there a way to not display in the pip-audit output the python packages which are not fixed?

Just to make sure I understand: you want a flag that removes vulnerabilities from the output if there aren't any known fixes for them? Am I understanding that correctly?

If so, that shouldn't be very difficult to do (although we'd likely only support it for the "column" output format, since all other formats are manifest formats that dump everything).

cc @di for thoughts on whether this is worth supporting.

[woodruffw]

(FWIW, you should be able to do something similar to this without any changes to pip-audit by using --format=json and filtering the results on your own).

[octavd]

Is there a way to not display in the pip-audit output the python packages which are not fixed?

Just to make sure I understand: you want a flag that removes vulnerabilities from the output if there aren't any known fixes for them? Am I understanding that correctly?

If so, that shouldn't be very difficult to do (although we'd likely only support it for the "column" output format, since all other formats are manifest formats that dump everything).

cc @di for thoughts on whether this is worth supporting.

Hey! first of all, thank you for your reply. :)
Secondly, indeed, if there aren't any known fixes for the python libraries, don't display them when using pip-audit.
The same feature exists also in trivy tool.

[di]

I think #209 is probably the right way to go about this. We don't want to provide a flag that will implicitly/silently ignore any potential vulnerability. Instead, the user should explicitly acknowledge/declare which audit failures are acceptable.

[octavd]

Well, basically you are not ignoring the fix if it will appear. If there is actually no fix for the problem, just don't display (offer this parameter) and when this is eventually fix, even we will have this parameter, it will display and tell in which version this is changed.

[di]

Right, the use case we're trying to avoid is if you have a dependency on a library that never implements a fix (for example, perhaps it is unmaintained), and you never find out about it. If you have a --ignore-unfixed flag, this could happen entirely without your knowledge.

Instead, if pip-audit starts failing on this library, and you have explicitly acknowledge that you're OK with the vulnerability to get it passing again, you're now aware that the vulnerability exists. Similarly, pip-audit can start failing if you're ignoring a result, but a fix is available, prompting you to move to the fixed version.