Automatically audit packages using both osv and pypi, or document that they may report different results

Is your feature request related to a problem? Please describe.

I’m always frustrated when I think there are no security vulnerabilities in my project, but there actually are. My team runs pip-audit as a daily CI job to warn us about CVEs in our Python dependencies.

By default pip-audit uses PyPI, and currently reports no issues for any of our dependencies. But while investigating a dependabot warning today, we reran pip-audit using “–vulnerability-service osv”, and saw that there was a django-celery-results GHSA reported in OSV.

Describe the solution you’d like

Obviously pip-audit doesn’t control the contents of either the OSV or PyPI databases, and I’m about to go request that those projects synchronize their data. But it would also be nice if pip-audit automatically checked both OSV and PyPI by default:

-s SERVICE, --vulnerability-service SERVICE
                        the vulnerability service to audit dependencies
                        against (choices: osv, pypi) (default: osv, pypi)

Describe alternatives you’ve considered

Add some documentation stating that OSV and PyPI vulnerabilities may differ, and that auditing against both services is recommended. This could be a small snippet in “pip-audit --help”, like below:

-s SERVICE, --vulnerability-service SERVICE
                        the vulnerability service to audit dependencies
                        against. Each service may report different
                        results, so checking both is recommended.
                        (choices: osv, pypi) (default: pypi)