Adding auditing to pip

It's not about specific warnings, it's about culture. Basically, you have 'security guy' (with background from, f.e., police or some other non-IT) who was tasked with 'IT-security'. It follows the guidelines and trainings which says 'no vulnerabilities above 6.7 should be in production systems', and there is '7.4' for vulnerability which is not a vulnerability at all. There is no procedure to make it not-a-vulnerability. You explain the reason for ignoring and guy just ignore you (like police officer ignoring explanation for speeding at ticket time). The rules says 'NO VULNERABILITIES ABOVE 6.4 AND YOU HAVE 7.4 ON MY VUN-READER, DOCUMENTS PLEASE'. And there is a way to make this guy quiet. Install package in a way which is not visible for scanner, and you are fine to go (even if you have poodle with heartbleed).

If there is CVE out there, how to make it 'not CVE'? I know no such process.