-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add support environment.yaml
files
#6569
feat: add support environment.yaml
files
#6569
Conversation
environment.yaml
filesenvironment.yaml
files
integration/repo_test.go
Outdated
{ | ||
name: "conda environment.yaml generating SPDX SBOM", | ||
args: args{ | ||
command: "fs", | ||
format: "spdx-json", | ||
input: "testdata/fixtures/repo/conda-environment", | ||
}, | ||
golden: "testdata/conda-environment-spdx.json.golden", | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we already have an intermediate SBOM representation, I think either CycloneDX or SPDX is enough.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed SPDX in d5b0a56
// Default format for files created using the `conda Export` command: `<Name>=<Version>=<Build> | ||
// e.g. `bzip2=1.0.8=h998d150_5` | ||
// But it is also possible to set only the dependency name | ||
ss := strings.Split(dep.Value, "=") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems like we have to care about a variety of cases.
https://docs.conda.io/projects/conda-build/en/latest/resources/package-spec.html#package-match-specifications
numpy
numpy 1.8*
numpy 1.8.1
numpy >=1.8
numpy ==1.8.1
numpy 1.8|1.8*
numpy >=1.8,<2
numpy >=1.8,<2|1.9
numpy 1.8.1 py27_0
numpy=1.8.1=py27_0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
}) | ||
|
||
if tt.wantErr != "" { | ||
require.Error(t, err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: this line is not needed when using ErrorContains
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed - 6fc4535
return res, nil | ||
} | ||
func (a environmentAnalyzer) Required(filePath string, _ os.FileInfo) bool { | ||
return filepath.Base(filePath) == "environment.yaml" || filepath.Base(filePath) == "environment.yml" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should define a const.
trivy/pkg/fanal/types/const.go
Lines 107 to 143 in 18da7b1
// Language-specific file names | |
const ( | |
NuGetPkgsLock = "packages.lock.json" | |
NuGetPkgsConfig = "packages.config" | |
GoMod = "go.mod" | |
GoSum = "go.sum" | |
MavenPom = "pom.xml" | |
NpmPkg = "package.json" | |
NpmPkgLock = "package-lock.json" | |
YarnLock = "yarn.lock" | |
PnpmLock = "pnpm-lock.yaml" | |
ComposerLock = "composer.lock" | |
ComposerJson = "composer.json" | |
PyProject = "pyproject.toml" | |
PipRequirements = "requirements.txt" | |
PipfileLock = "Pipfile.lock" | |
PoetryLock = "poetry.lock" | |
GemfileLock = "Gemfile.lock" | |
CargoLock = "Cargo.lock" | |
CargoToml = "Cargo.toml" | |
ConanLock = "conan.lock" | |
CocoaPodsLock = "Podfile.lock" | |
SwiftResolved = "Package.resolved" | |
PubSpecLock = "pubspec.lock" | |
MixLock = "mix.lock" | |
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done - a3254f9
Signed-off-by: knqyf263 <knqyf263@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@DmitriyLewen I refactored it a bit so it can parse more cases. Please let me know if it looks wrong.
Good solution! |
Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com>
Hi @knqyf263 and @DmitriyLewen, I have noticed an issue with the current implementation. In particular pip-dependencies in an environment.yml-file (as show below) are not supported:
And lead to the following error:
|
Description
Add support for detecting dependencies from
environment.yaml
files.We do not have a vulnerability database for conda files, so
environment.yaml
files will only be scanned for packages (-f json --list-all-pkgs
, SBOM formats).Related issues
Checklist