Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(conda): pip dependencies are not supported in new Conda integration #6659

Closed
1 of 2 tasks
DmitriyLewen opened this issue May 8, 2024 Discussed in #6658 · 1 comment · Fixed by #6675
Closed
1 of 2 tasks

bug(conda): pip dependencies are not supported in new Conda integration #6659

DmitriyLewen opened this issue May 8, 2024 Discussed in #6658 · 1 comment · Fixed by #6675
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@DmitriyLewen
Copy link
Contributor

Discussed in #6658

Originally posted by kutkopy May 8, 2024

Description

The new Conda integration in v.0.51.1 is currently not supporting pip-Dependencies within environment.yml-files, even though this is a full feature from Conda. In particular pip-dependencies in an environment.yml-file (as shown below) are not supported:

name: test-environment
dependencies:
  - python==3.10.*
  - pip==23.2.*
  - scikit-learn==1.3.*
  - pip:
    - pandas==2.1.*

Even with pinned versions:

name: test-environment
channels:
  - https://conda.anaconda.org/conda-forge
  - conda-forge
  - fastchan
  - pytorch
dependencies:
  - bzip2=1.0.8=h93a5062_5
  - ca-certificates=2024.2.2=hf0a4a13_0
  - joblib=1.4.2=pyhd8ed1ab_0
  - libblas=3.9.0=22_osxarm64_openblas
  - libcblas=3.9.0=22_osxarm64_openblas
  - libcxx=17.0.6=h5f092b4_0
  - libffi=3.4.2=h3422bc3_5
  - libgfortran=5.0.0=13_2_0_hd922786_3
  - libgfortran5=13.2.0=hf226fd6_3
  - liblapack=3.9.0=22_osxarm64_openblas
  - libopenblas=0.3.27=openmp_h6c19121_0
  - libsqlite=3.45.3=h091b4b1_0
  - libzlib=1.2.13=h53f4e23_5
  - llvm-openmp=18.1.5=hde57baf_0
  - ncurses=6.4.20240210=h078ce10_0
  - numpy=1.26.4=py310hd45542a_0
  - openssl=3.3.0=h0d3ecfb_0
  - pip=23.2.1=pyhd8ed1ab_0
  - python=3.10.14=h2469fbe_0_cpython
  - python_abi=3.10=4_cp310
  - readline=8.2=h92ec313_1
  - scikit-learn=1.3.2=py310h417b086_2
  - scipy=1.13.0=py310h7057308_1
  - setuptools=69.5.1=pyhd8ed1ab_0
  - threadpoolctl=3.5.0=pyhc1e730c_0
  - tk=8.6.13=h5083fa2_1
  - wheel=0.43.0=pyhd8ed1ab_1
  - xz=5.2.6=h57fd34a_0
  - pip:
      - pandas==2.1.4
      - python-dateutil==2.9.0.post0
      - pytz==2024.1
      - six==1.16.0
      - tzdata==2024.1
prefix: /Users/michael/opt/miniconda3/envs/test-environment

And lead to the following error:

[conda] Unable to detect the dependency versions from `environment.yml` as those versions are not pinned. Use `conda env export` to pin versions.

Desired Behavior

All types of dependencies (conda and pip) should be detected in an environment.yml-file and be scanned correctly by trivy.

Actual Behavior

pip-dependencies are currently not detected correctly and can therefore be not scanned by the current approach.

Reproduction Steps

1. Create an environment.yml file with a pip-dependency (see example above)
2. Create conda environment
conda env update -f environment.yml
3. Export conda environment to get pinned versions
conda env export -n test-environment -f environment.yml 
4. Create SBOM of directory residing the pinned environment.yml file:
trivy filesystem . --scanners vuln --timeout 10m --format cyclonedx >./reports/sbom-scan-vuln.cdx.json
(If I remove the pip-dependencies from the pinned environment.yml file, the above command works fine).

Target

SBOM

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Debug Output

2024-05-08T08:53:22+02:00	DEBUG	["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2024-05-08T08:53:22+02:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-05-08T08:53:22+02:00	DEBUG	Ignore statuses	statuses=[]
2024-05-08T08:53:22+02:00	DEBUG	Cache dir	dir="/Users/michael/Library/Caches/trivy"
2024-05-08T08:53:22+02:00	DEBUG	DB update was skipped because the local DB is the latest
2024-05-08T08:53:22+02:00	DEBUG	DB info	schema=2 updated_at=2024-05-08T06:12:21.400321152Z next_update=2024-05-08T12:12:21.400320861Z downloaded_at=2024-05-08T06:45:13.353111Z
2024-05-08T08:53:22+02:00	INFO	Vulnerability scanning is enabled
2024-05-08T08:53:22+02:00	DEBUG	Vulnerability type	type=[os library]
2024-05-08T08:53:22+02:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-05-08T08:53:22+02:00	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
panic: runtime error: index out of range [0] with length 0

goroutine 39 [running]:
github.com/aquasecurity/trivy/pkg/dependency/parser/conda/environment.(*Parser).parseDependency(0x14d0?, {0x0, 0x0})
	/home/runner/work/trivy/trivy/pkg/dependency/parser/conda/environment/parse.go:89 +0x1d0
github.com/aquasecurity/trivy/pkg/dependency/parser/conda/environment.(*Parser).toLibrary(0x140027d2000, {{0x0?, 0x14003f27b01?}, 0x10213812c?})
	/home/runner/work/trivy/trivy/pkg/dependency/parser/conda/environment/parse.go:59 +0x40
github.com/aquasecurity/trivy/pkg/dependency/parser/conda/environment.(*Parser).Parse(0x140027d2000, {0x10ac9b3d0, 0x14001e8cf30})
	/home/runner/work/trivy/trivy/pkg/dependency/parser/conda/environment/parse.go:46 +0x268
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language.Parse({0x1081c3fc2, 0x11}, {0x14002fa5e40, 0xf}, {0x10abfaf80?, 0x14001e8cf30?}, {0x10ac0fc40, 0x140027d2000})
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/analyze.go:52 +0xac
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language.Analyze({0x1081c3fc2?, 0x11?}, {0x14002fa5e40, 0xf}, {0x10ac9b3d0?, 0x14001e8cf30?}, {0x10ac0fc40?, 0x140027d2000?})
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/analyze.go:20 +0x5c
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/conda/environment.environmentAnalyzer.Analyze({}, {0x0?, 0x0?}, {{0x16dcd75d1, 0x1}, {0x14002fa5e40, 0xf}, {0x10acb88a8, 0x140029bcd00}, {0x10ac9b3d0, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/conda/environment/environment.go:25 +0xb0
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.AnalyzeFile.func1({0x10acacdc8?, 0x10e5b3a80?}, {0x10acaadd0?, 0x14001e8cf30?})
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:432 +0x184
created by github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.AnalyzeFile in goroutine 1
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:427 +0x3bc

Operating System

macOS 14.4.1 (but also on Ubuntu)

Version

Version: 0.51.1

Checklist
@DmitriyLewen DmitriyLewen added the kind/bug Categorizes issue or PR as related to a bug. label May 8, 2024
@afdesk afdesk mentioned this issue May 8, 2024
Open
@DmitriyLewen DmitriyLewen mentioned this issue May 13, 2024
Merged
7 tasks
@kutkopy
Copy link

kutkopy commented May 13, 2024

@DmitriyLewen thanks for fixing this so quickly 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(conda): add support pip deps for environment.yml files DmitriyLewen/trivy
2 participants
@kutkopy @DmitriyLewen