pypa · tetsuo-cpp · Jun 15, 2022 · Jun 14, 2022 · Jun 14, 2022 · Jun 14, 2022
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -43,8 +43,7 @@ jobs:
         with:
           python-version: "3.7"
 
-      - name: setup
-        run: make
+      - run: python -m pip install .
 
       - name: check-readme
         run: |
@@ -54,5 +53,5 @@ jobs:
                 < README.md | sed '1d;$d' \
             ) \
             <( \
-              make run ARGS="--help" \
+              python -m pip_audit --help \
             )
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,13 @@ All versions prior to 0.0.9 are untracked.
   can fully verify hashes
   ([#298](https://github.com/trailofbits/pip-audit/pull/298))
 
+### Fixed
+
+* CLI/Dependency sources: `--cache-dir=...` and other flags that affect
+  dependency resolver behavior now work correctly when auditing a
+  `pyproject.toml` dependency source
+  ([#300](https://github.com/trailofbits/pip-audit/pull/300))
+
 ## [2.3.2] - 2022-05-14
 
 ### Changed

diff --git a/Makefile b/Makefile
@@ -21,23 +21,18 @@ else
 	COV_ARGS := --fail-under 100
 endif
 
-env/pyvenv.cfg: pyproject.toml
-	# Create our Python 3 virtual environment
-	[[ -d env ]] || python3 -m venv env
-	./env/bin/python -m pip install --upgrade pip
-	./env/bin/python -m pip install -e .[dev]
-
-
-.PHONY: dev
-dev: env/pyvenv.cfg
-
 .PHONY: all
 all:
 	@echo "Run my targets individually!"
 
-.PHONY: run
-run: env/pyvenv.cfg
-	@. env/bin/activate && pip-audit $(ARGS)
+.PHONY: dev
+dev: env/pyvenv.cfg
+
+env/pyvenv.cfg: pyproject.toml
+	# Create our Python 3 virtual environment
+	python3 -m venv env
+	./env/bin/python -m pip install --upgrade pip
+	./env/bin/python -m pip install -e .[dev]
 
 .PHONY: lint
 lint: env/pyvenv.cfg

diff --git a/pip_audit/_cli.py b/pip_audit/_cli.py
@@ -303,11 +303,13 @@ def _parse_args(parser: argparse.ArgumentParser) -> argparse.Namespace:
     return parser.parse_args()
 
 
-def _dep_source_from_project_path(project_path: Path, state: AuditState) -> DependencySource:
+def _dep_source_from_project_path(
+    project_path: Path, resolver: ResolveLibResolver, state: AuditState
+) -> DependencySource:
     # Check for a `pyproject.toml`
     pyproject_path = project_path / "pyproject.toml"
     if pyproject_path.is_file():
-        return PyProjectSource(pyproject_path, ResolveLibResolver(), state)
+        return PyProjectSource(pyproject_path, resolver, state)
 
     # TODO: Checks for setup.py and other project files will go here.
 
@@ -390,7 +392,13 @@ def audit() -> None:
             # once PEP 660 is more widely supported: https://www.python.org/dev/peps/pep-0660/
 
             # Determine which kind of project file exists in the project path
-            source = _dep_source_from_project_path(args.project_path, state)
+            source = _dep_source_from_project_path(
+                args.project_path,
+                ResolveLibResolver(
+                    index_urls, args.timeout, args.cache_dir, args.skip_editable, state
+                ),
+                state,
+            )
         else:
             source = PipSource(
                 local=args.local, paths=args.paths, skip_editable=args.skip_editable, state=state