Skip to content

Commit

Permalink
feat(conda): add licenses support for environment.yml files (aquase…
Browse files Browse the repository at this point in the history
…curity#6953)

Co-authored-by: Teppei Fukuda <[email protected]>
  • Loading branch information
2 people authored and skahn007gl committed Jul 23, 2024
1 parent c00068d commit 6683cf7
Show file tree
Hide file tree
Showing 11 changed files with 378 additions and 184 deletions.
35 changes: 21 additions & 14 deletions docs/docs/coverage/os/conda.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,31 +6,38 @@ Trivy supports the following scanners for Conda packages.
|:-------------:|:---------:|
| SBOM ||
| Vulnerability | - |
| License | [^1] |
| License | |


## SBOM
Trivy detects packages that have been installed with `Conda`.

## `<package>.json`
### SBOM
Trivy parses `<conda-root>/envs/<env>/conda-meta/<package>.json` files to find the dependencies installed in your env.

### `<package>.json`
Trivy parses `<conda-root>/envs/<env>/conda-meta/<package>.json` files to find the version and license for the dependencies installed in your env.
### License
The `<package>.json` files contain package license information.
Trivy includes licenses for the packages it finds without having to parse additional files.

### `environment.yml`[^2]
Trivy supports parsing [environment.yml][environment.yml][^2] files to find dependency list.
## `environment.yml`[^1]
### SBOM
Trivy supports parsing [environment.yml][environment.yml][^1] files to find dependency list.

!!! note
License detection is currently not supported.

`environment.yml`[^2] files supports [version range][env-version-range]. We can't be sure about versions for these dependencies.
Therefore, you need to use `conda env export` command to get dependency list in `Conda` default format before scanning `environment.yml`[^2] file.
`environment.yml`[^1] files supports [version range][env-version-range]. We can't be sure about versions for these dependencies.
Therefore, you need to use `conda env export` command to get dependency list in `Conda` default format before scanning `environment.yml`[^1] file.

!!! note
For dependencies in a non-Conda format, Trivy doesn't include a version of them.

### License
Trivy parses `conda-meta/<package>.json` files at the [prefix] path.

To correctly define licenses, make sure your `environment.yml`[^1] contains `prefix` field and `prefix` directory contains `package.json` files.

!!! note
To get correct `environment.yml`[^1] file and fill `prefix` directory - use `conda env export` command.

[^1]: License detection is only supported for `<package>.json` files
[^2]: Trivy supports both `yaml` and `yml` extensions.
[^1]: Trivy supports both `yaml` and `yml` extensions.

[environment.yml]: https://conda.io/projects/conda/en/latest/user-guide/tasks/manage-environments.html#sharing-an-environment
[env-version-range]: https://docs.conda.io/projects/conda-build/en/latest/resources/package-spec.html#examples-of-package-specs
[prefix]: https://conda.io/projects/conda/en/latest/user-guide/tasks/manage-environments.html#specifying-a-location-for-an-environment
15 changes: 12 additions & 3 deletions pkg/dependency/parser/conda/environment/parse.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import (

type environment struct {
Entries []Entry `yaml:"dependencies"`
Prefix string `yaml:"prefix"`
}

type Entry struct {
Expand All @@ -27,6 +28,11 @@ type Dependency struct {
Line int
}

type Packages struct {
Packages ftypes.Packages
Prefix string
}

type Parser struct {
logger *log.Logger
once sync.Once
Expand All @@ -39,10 +45,10 @@ func NewParser() *Parser {
}
}

func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependency, error) {
func (p *Parser) Parse(r xio.ReadSeekerAt) (Packages, error) {
var env environment
if err := yaml.NewDecoder(r).Decode(&env); err != nil {
return nil, nil, xerrors.Errorf("unable to decode conda environment.yml file: %w", err)
return Packages{}, xerrors.Errorf("unable to decode conda environment.yml file: %w", err)
}

var pkgs ftypes.Packages
Expand All @@ -58,7 +64,10 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
}

sort.Sort(pkgs)
return pkgs, nil, nil
return Packages{
Packages: pkgs,
Prefix: env.Prefix,
}, nil
}

func (p *Parser) toPackage(dep Dependency) ftypes.Package {
Expand Down
Loading

0 comments on commit 6683cf7

Please sign in to comment.