Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(conda): add licenses support for environment.yml files #6953

Merged
Show file tree
Hide file tree
Changes from 15 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 21 additions & 14 deletions docs/docs/coverage/os/conda.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,31 +6,38 @@ Trivy supports the following scanners for Conda packages.
|:-------------:|:---------:|
| SBOM | ✓ |
| Vulnerability | - |
| License | ✓[^1] |
| License | |


## SBOM
Trivy detects packages that have been installed with `Conda`.

## `<package>.json`
### SBOM
Trivy parses `<conda-root>/envs/<env>/conda-meta/<package>.json` files to find the dependencies installed in your env.

### `<package>.json`
Trivy parses `<conda-root>/envs/<env>/conda-meta/<package>.json` files to find the version and license for the dependencies installed in your env.
### License
The `<package>.json` files contain package license information.
Trivy includes licenses for the packages it finds without having to parse additional files.

### `environment.yml`[^2]
Trivy supports parsing [environment.yml][environment.yml][^2] files to find dependency list.
## `environment.yml`[^1]
### SBOM
Trivy supports parsing [environment.yml][environment.yml][^1] files to find dependency list.

!!! note
License detection is currently not supported.

`environment.yml`[^2] files supports [version range][env-version-range]. We can't be sure about versions for these dependencies.
Therefore, you need to use `conda env export` command to get dependency list in `Conda` default format before scanning `environment.yml`[^2] file.
`environment.yml`[^1] files supports [version range][env-version-range]. We can't be sure about versions for these dependencies.
Therefore, you need to use `conda env export` command to get dependency list in `Conda` default format before scanning `environment.yml`[^1] file.

!!! note
For dependencies in a non-Conda format, Trivy doesn't include a version of them.

### License
Trivy parses `conda-meta/<package>.json` files at the [prefix] path.

To correctly define licenses, make sure your `environment.yml`[^1] contains `prefix` field and `prefix` directory contains `package.json` files.

!!! note
To get correct `environment.yml`[^1] file and fill `prefix` directory - use `conda env export` command.

[^1]: License detection is only supported for `<package>.json` files
[^2]: Trivy supports both `yaml` and `yml` extensions.
[^1]: Trivy supports both `yaml` and `yml` extensions.

[environment.yml]: https://conda.io/projects/conda/en/latest/user-guide/tasks/manage-environments.html#sharing-an-environment
[env-version-range]: https://docs.conda.io/projects/conda-build/en/latest/resources/package-spec.html#examples-of-package-specs
[prefix]: https://conda.io/projects/conda/en/latest/user-guide/tasks/manage-environments.html#specifying-a-location-for-an-environment
15 changes: 12 additions & 3 deletions pkg/dependency/parser/conda/environment/parse.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import (

type environment struct {
Entries []Entry `yaml:"dependencies"`
Prefix string `yaml:"prefix"`
}

type Entry struct {
Expand All @@ -27,6 +28,11 @@ type Dependency struct {
Line int
}

type Packages struct {
Packages ftypes.Packages
Prefix string
}

type Parser struct {
logger *log.Logger
once sync.Once
Expand All @@ -39,10 +45,10 @@ func NewParser() *Parser {
}
}

func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependency, error) {
func (p *Parser) Parse(r xio.ReadSeekerAt) (Packages, error) {
var env environment
if err := yaml.NewDecoder(r).Decode(&env); err != nil {
return nil, nil, xerrors.Errorf("unable to decode conda environment.yml file: %w", err)
return Packages{}, xerrors.Errorf("unable to decode conda environment.yml file: %w", err)
}

var pkgs ftypes.Packages
Expand All @@ -58,7 +64,10 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
}

sort.Sort(pkgs)
return pkgs, nil, nil
return Packages{
Packages: pkgs,
Prefix: env.Prefix,
}, nil
}

func (p *Parser) toPackage(dep Dependency) ftypes.Package {
Expand Down
Loading