pip dependencies are not supported in new Conda integration

[kutkopy]

Description

The new Conda integration in v.0.51.1 is currently not supporting pip-Dependencies within environment.yml-files, even though this is a full feature from Conda. In particular pip-dependencies in an environment.yml-file (as shown below) are not supported:

name: test-environment
dependencies:
  - python==3.10.*
  - pip==23.2.*
  - scikit-learn==1.3.*
  - pip:
    - pandas==2.1.*

Even with pinned versions:

name: test-environment
channels:
  - https://conda.anaconda.org/conda-forge
  - conda-forge
  - fastchan
  - pytorch
dependencies:
  - bzip2=1.0.8=h93a5062_5
  - ca-certificates=2024.2.2=hf0a4a13_0
  - joblib=1.4.2=pyhd8ed1ab_0
  - libblas=3.9.0=22_osxarm64_openblas
  - libcblas=3.9.0=22_osxarm64_openblas
  - libcxx=17.0.6=h5f092b4_0
  - libffi=3.4.2=h3422bc3_5
  - libgfortran=5.0.0=13_2_0_hd922786_3
  - libgfortran5=13.2.0=hf226fd6_3
  - liblapack=3.9.0=22_osxarm64_openblas
  - libopenblas=0.3.27=openmp_h6c19121_0
  - libsqlite=3.45.3=h091b4b1_0
  - libzlib=1.2.13=h53f4e23_5
  - llvm-openmp=18.1.5=hde57baf_0
  - ncurses=6.4.20240210=h078ce10_0
  - numpy=1.26.4=py310hd45542a_0
  - openssl=3.3.0=h0d3ecfb_0
  - pip=23.2.1=pyhd8ed1ab_0
  - python=3.10.14=h2469fbe_0_cpython
  - python_abi=3.10=4_cp310
  - readline=8.2=h92ec313_1
  - scikit-learn=1.3.2=py310h417b086_2
  - scipy=1.13.0=py310h7057308_1
  - setuptools=69.5.1=pyhd8ed1ab_0
  - threadpoolctl=3.5.0=pyhc1e730c_0
  - tk=8.6.13=h5083fa2_1
  - wheel=0.43.0=pyhd8ed1ab_1
  - xz=5.2.6=h57fd34a_0
  - pip:
      - pandas==2.1.4
      - python-dateutil==2.9.0.post0
      - pytz==2024.1
      - six==1.16.0
      - tzdata==2024.1
prefix: /Users/michael/opt/miniconda3/envs/test-environment

And lead to the following error:

[conda] Unable to detect the dependency versions from `environment.yml` as those versions are not pinned. Use `conda env export` to pin versions.

Desired Behavior

All types of dependencies (conda and pip) should be detected in an environment.yml-file and be scanned correctly by trivy.

Actual Behavior

pip-dependencies are currently not detected correctly and can therefore be not scanned by the current approach.

Reproduction Steps

1. Create an environment.yml file with a pip-dependency (see example above)
2. Create conda environment
conda env update -f environment.yml
3. Export conda environment to get pinned versions
conda env export -n test-environment -f environment.yml 
4. Create SBOM of directory residing the pinned environment.yml file:
trivy filesystem . --scanners vuln --timeout 10m --format cyclonedx >./reports/sbom-scan-vuln.cdx.json
(If I remove the pip-dependencies from the pinned environment.yml file, the above command works fine).

Target

SBOM

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Debug Output

2024-05-08T08:53:22+02:00	DEBUG	["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2024-05-08T08:53:22+02:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-05-08T08:53:22+02:00	DEBUG	Ignore statuses	statuses=[]
2024-05-08T08:53:22+02:00	DEBUG	Cache dir	dir="/Users/michael/Library/Caches/trivy"
2024-05-08T08:53:22+02:00	DEBUG	DB update was skipped because the local DB is the latest
2024-05-08T08:53:22+02:00	DEBUG	DB info	schema=2 updated_at=2024-05-08T06:12:21.400321152Z next_update=2024-05-08T12:12:21.400320861Z downloaded_at=2024-05-08T06:45:13.353111Z
2024-05-08T08:53:22+02:00	INFO	Vulnerability scanning is enabled
2024-05-08T08:53:22+02:00	DEBUG	Vulnerability type	type=[os library]
2024-05-08T08:53:22+02:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-05-08T08:53:22+02:00	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
panic: runtime error: index out of range [0] with length 0

goroutine 39 [running]:
github.com/aquasecurity/trivy/pkg/dependency/parser/conda/environment.(*Parser).parseDependency(0x14d0?, {0x0, 0x0})
	/home/runner/work/trivy/trivy/pkg/dependency/parser/conda/environment/parse.go:89 +0x1d0
github.com/aquasecurity/trivy/pkg/dependency/parser/conda/environment.(*Parser).toLibrary(0x140027d2000, {{0x0?, 0x14003f27b01?}, 0x10213812c?})
	/home/runner/work/trivy/trivy/pkg/dependency/parser/conda/environment/parse.go:59 +0x40
github.com/aquasecurity/trivy/pkg/dependency/parser/conda/environment.(*Parser).Parse(0x140027d2000, {0x10ac9b3d0, 0x14001e8cf30})
	/home/runner/work/trivy/trivy/pkg/dependency/parser/conda/environment/parse.go:46 +0x268
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language.Parse({0x1081c3fc2, 0x11}, {0x14002fa5e40, 0xf}, {0x10abfaf80?, 0x14001e8cf30?}, {0x10ac0fc40, 0x140027d2000})
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/analyze.go:52 +0xac
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language.Analyze({0x1081c3fc2?, 0x11?}, {0x14002fa5e40, 0xf}, {0x10ac9b3d0?, 0x14001e8cf30?}, {0x10ac0fc40?, 0x140027d2000?})
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/analyze.go:20 +0x5c
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/conda/environment.environmentAnalyzer.Analyze({}, {0x0?, 0x0?}, {{0x16dcd75d1, 0x1}, {0x14002fa5e40, 0xf}, {0x10acb88a8, 0x140029bcd00}, {0x10ac9b3d0, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/conda/environment/environment.go:25 +0xb0
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.AnalyzeFile.func1({0x10acacdc8?, 0x10e5b3a80?}, {0x10acaadd0?, 0x14001e8cf30?})
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:432 +0x184
created by github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.AnalyzeFile in goroutine 1
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:427 +0x3bc

Operating System

macOS 14.4.1 (but also on Ubuntu)

Version

Version: 0.51.1

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @kutkopy
Thanks for your report!

Created #6659

Regards, Dmitriy