Not display unpatched version #243
Comments
Just to make sure I understand: you want a flag that removes vulnerabilities from the output if there aren't any known fixes for them? Am I understanding that correctly? If so, that shouldn't be very difficult to do (although we'd likely only support it for the "column" output format, since all other formats are manifest formats that dump everything). cc @di for thoughts on whether this is worth supporting. |
|
(FWIW, you should be able to do something similar to this without any changes to |
Hey! first of all, thank you for your reply. :) |
woodruffw
added
component:cli
|
I think #209 is probably the right way to go about this. We don't want to provide a flag that will implicitly/silently ignore any potential vulnerability. Instead, the user should explicitly acknowledge/declare which audit failures are acceptable. |
|
Well, basically you are not ignoring the fix if it will appear. If there is actually no fix for the problem, just don't display (offer this parameter) and when this is eventually fix, even we will have this parameter, it will display and tell in which version this is changed. |
|
Right, the use case we're trying to avoid is if you have a dependency on a library that never implements a fix (for example, perhaps it is unmaintained), and you never find out about it. If you have a Instead, if |
Hello,
Is there a way to not display in the pip-audit output the python packages which are not fixed?
Just like trivy, where if you use the parameter --ignore-unfixed it you can ignore until a fix will appear.
https://aquasecurity.github.io/trivy/v0.22.0/vulnerability/examples/filter/
The text was updated successfully, but these errors were encountered: