Feature: Log ignored vulnerabilities to markdown output

[PhorstenkampFuzzy]

Pre-submission checks

• I am not reporting a new vulnerability or requesting a new vulnerability identifier. These must be reported or managed via upstream dependency sources or services, not this repository.
• I agree to follow the PSF Code of Conduct.
• I have looked through the open issues for a duplicate request.

What's the problem this feature will solve?

We are currently using the markdown report in our build chain and include such reports into our documentaiton.
Those reports currently do not include the ignored vulnerabilities.

Describe the solution you'd like

Please add a section on ignored vulnerabilities in the markdown report.

Additional context

No response

[woodruffw]

Hi @PhorstenkampFuzzy, thanks for opening an issue.

Making sure I understand: are you asking for the markdown to contain ignored vulnerabilities, or skipped dependencies? The latter isn't currently included, unlike some of the other formats, while the former isn't included in any output formats (because it would be just a direct pass-through of the --ignore-vuln CLI option).

[PhorstenkampFuzzy]

I would ask for ignore-vuln maybe with an assosiation of the effected packages.
So kind of an risk agnolagement in the md file.

[PhorstenkampFuzzy]

I am willing and probably abel to impelment this if it is something that is deemed of value by the maintainer / developer comunity of this project.

[woodruffw]

I'm not opposed to this per se, but I think it'll have to go with a larger re-thinking of the output layer within pip-audit: right now output formats are driven by the VulnerabilityFormat interface, which doesn't include ignore information. More generally, I don't think we currently plumb ignores anywhere through the output layers -- ignoring is currently done as a post-processing step after the audit service.

TL;DR: I appreciate the offer to contribute, but I want to think about this some more before I say we want it -- it makes sense to expose this data, but I think we should do it in a way that works for all of the output formats, which in turn has larger refactoring implications.

[PhorstenkampFuzzy]

Hence me talking before doing.

[philipp-horstenkamp]

Maybe discuess it with the other maintainers.
As stated, I am willing to help.