Feature: consider Python version when reporting a vulnerability

[jenstroeger]

Pre-submission checks

• I am not reporting a new vulnerability or requesting a new vulnerability identifier. These must be reported or managed via upstream dependency sources or services, not this repository.
• I agree to follow the PSF Code of Conduct.
• I have looked through the open issues for a duplicate request.

What's the problem this feature will solve?

Following up one issue pypa/pip#13607

It seems to me that pip-audit doesn’t consider the Python version it runs on when reporting a vulnerability.

For example, we run pip-audit in a CI workflow on Python 3.13 which also matches our deployment environment. However, GHSA-4xh5-x5gv-qwph (CVE CVE-2025-8869) does not affect Python 3.13 (apparently) and yet it’s being reported.

Describe the solution you'd like

Would be nice that vulnerabilities that don’t apply to the actively running Python version could be ignored. Assuming the Python version itself is reported by the metadata.

Additional context

No response

[woodruffw]

Hi @jenstroeger, thanks for filing this. I agree this would be good to have, but it's unfortunately a data quality issue: I don't believe OSV provides ecosystem version information like this in a machine-readable fashion by default, so pip-audit doesn't have a straightforward way to perform these kinds of filters.

(There's the ecosystem_specific field, but that field requires OSV report creators to agree on a representation + actually use it.)

TL;DR: This is something pip-audit could do, but we need vulnerability authors (or enrichment services like OSV/PYSEC) to provide the appropriate machine-readable metadata here. To do that, they probably need to agree on an ecosystem_specific encoding for Python versions 🙂

CC @di for thoughts + I figure you might know some of the OSV folks who would have thoughts on this!