Allow different output formats in parallel (e.g. for SBOM reports)

[bittner]

Pre-submission checks

• I am not reporting a new vulnerability or requesting a new vulnerability identifier. These must be reported or managed via upstream dependency sources or services, not this repository.
• I agree to follow the PSF Code of Conduct.
• I have looked through the open issues for a duplicate request.

What's the problem this feature will solve?

When I run pip-audit in a CI job I love to have tabular output of the scanning results in the log output, but I also want to submit the results (e.g. SBOM reports in JSON or XML) to the CI service for integration in the PR/MR widget.

Currently, I have to run pip-audit twice. One run for the tabular output, another one to write the JSON or XML report.

Describe the solution you'd like

There are the --format and the --output options, which can only be used once (the last occurrence counts). It would cause a lot of trouble to redefine their behavior, hence new options are likely needed.

Two additional options --cyclonedx-xml=<filepath> and --cyclonedx-json=<filepath> could allow to use any format you like on the console, yet still save the CycloneDX SBOM report in XML and/or JSON.

Additional context

The proposed solution is inspired by Pytest's --junit-xml option.

[woodruffw]

Thanks for the request @bittner! Something like this seems reasonable to me, and I've wanted a similar thing for gh-action-pip-audit as well.

As a design item: we want to minimize flag proliferation in pip-audit, since we want its CLI to (roughly) mirror pip's (and consequently be potentially easy to integrate into pip in the future). Having N flags for each permutation of (SBOM-format, serialization) isn't ideal for that 🙂

(I know this doesn't propose every permutation, but offering some permutations makes it harder to justify not adding others in the future.)

Given that, I think we maybe want to do something a little more magic like --cyclonedx=<filepath>.{xml,json}, where the suffix of filepath implies the generated format. OTOH, maybe that's too magical (and maybe unidiomatic for CycloneDX -- I don't know what their preferred file extensions actually are)

CCing @di for thoughts as well.

[bittner]

we maybe want to do something a little more magic like --cyclonedx=<filepath>.{xml,json}

I like that proposal. Doesn't seem too magical to me, just needs to be explained explicitly in the usage.

[woodruffw]

I like that proposal. Doesn't seem too magical to me, just needs to be explained explicitly in the usage.

Agreed. I'll give @di some time to chime in, but assuming that sounds reasonable to him I'd be happy to review a PR that adds that behavior 🙂

[di]

Seems fine to me!