Open
Description
Is your feature request related to a problem? Please describe.
When Running 'jf audit' command on an empty python project, there are still vulnerabilities on pip and setuptools, even though the project is empty and does not contain any reference to pip or setuptools.
Describe the solution you'd like to see
'audit' should report vulnerabilities based on what is present on the venv after pulling the dependencies and should ignore pip and setuptools as long as they are not part of the project requirement file.
Describe alternatives you've considered
Another way is to add an option to ignore specific CVE's as vulnerabilities on the scan.
Additional context
TBD