search

google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev
https://google.github.io/osv-scanner/
Apache License 2.0
6.11k stars 343 forks source link

Support conda environment files as lockfiles #1129

Open maaaaz opened 1 month ago

maaaaz commented 1 month ago

Hello there,

osv-scanner currently does not support conda lockfiles.

Conda lockfiles, called "environment" files, can come at least in 2 different formats:

$ conda list -e

# This file may be used to create an environment using:
# $ conda create --name <env> --file <this file>
# platform: linux-64
_libgcc_mutex=0.1=main
_openmp_mutex=5.1=1_gnu
argparse=1.4.0=pypi_0
blinker=1.8.2=pypi_0
bloodhound=1.7.2=pypi_0
bzip2=1.0.8=h5eee18b_6
ca-certificates=2024.7.2=h06a4308_0
certifi=2024.7.4=pypi_0
cffi=1.16.0=pypi_0
charset-normalizer=3.3.2=pypi_0
click=8.1.7=pypi_0
cryptography=43.0.0=pypi_0
dnspython=2.6.1=pypi_0
dsinternals=1.2.4=pypi_0
expat=2.6.2=h6a678d5_0
flask=3.0.3=pypi_0
future=1.0.0=pypi_0
idna=3.7=pypi_0
impacket=0.11.0=pypi_0
itsdangerous=2.2.0=pypi_0
jinja2=3.1.4=pypi_0
ld_impl_linux-64=2.38=h1181459_1
ldap3=2.9.1=pypi_0
ldapdomaindump=0.9.4=pypi_0
libffi=3.4.4=h6a678d5_1
libgcc-ng=11.2.0=h1234567_1
libgomp=11.2.0=h1234567_1
libstdcxx-ng=11.2.0=h1234567_1
libuuid=1.41.5=h5eee18b_0
markupsafe=2.1.5=pypi_0
ncurses=6.4=h6a678d5_0
openssl=3.0.14=h5eee18b_0
pip=24.0=py312h06a4308_0
pyasn1=0.6.0=pypi_0
pycparser=2.22=pypi_0
pycryptodome=3.20.0=pypi_0
pycryptodomex=3.20.0=pypi_0
pyopenssl=24.2.1=pypi_0
python=3.12.4=h5148396_1
readline=8.2=h5eee18b_0
requests=2.32.3=pypi_0
setuptools=69.5.1=py312h06a4308_0
six=1.16.0=pypi_0
sqlite=3.45.3=h5eee18b_0
tk=8.6.14=h39e8969_0
tzdata=2024a=h04d1e81_0
urllib3=2.2.2=pypi_0
webscreenshot=2.94=pypi_0
werkzeug=3.0.3=pypi_0
wheel=0.43.0=py312h06a4308_0
xz=5.4.6=h5eee18b_1
zlib=1.2.13=h5eee18b_1
$ conda env export

name: condaenvtest
channels:
  - defaults
dependencies:
  - _libgcc_mutex=0.1=main
  - _openmp_mutex=5.1=1_gnu
  - bzip2=1.0.8=h5eee18b_6
  - ca-certificates=2024.7.2=h06a4308_0
  - expat=2.6.2=h6a678d5_0
  - ld_impl_linux-64=2.38=h1181459_1
  - libffi=3.4.4=h6a678d5_1
  - libgcc-ng=11.2.0=h1234567_1
  - libgomp=11.2.0=h1234567_1
  - libstdcxx-ng=11.2.0=h1234567_1
  - libuuid=1.41.5=h5eee18b_0
  - ncurses=6.4=h6a678d5_0
  - openssl=3.0.14=h5eee18b_0
  - pip=24.0=py312h06a4308_0
  - python=3.12.4=h5148396_1
  - readline=8.2=h5eee18b_0
  - setuptools=69.5.1=py312h06a4308_0
  - sqlite=3.45.3=h5eee18b_0
  - tk=8.6.14=h39e8969_0
  - tzdata=2024a=h04d1e81_0
  - wheel=0.43.0=py312h06a4308_0
  - xz=5.4.6=h5eee18b_1
  - zlib=1.2.13=h5eee18b_1
  - pip:
      - argparse==1.4.0
      - blinker==1.8.2
      - bloodhound==1.7.2
      - certifi==2024.7.4
      - cffi==1.16.0
      - charset-normalizer==3.3.2
      - click==8.1.7
      - cryptography==43.0.0
      - dnspython==2.6.1
      - dsinternals==1.2.4
      - flask==3.0.3
      - future==1.0.0
      - idna==3.7
      - impacket==0.11.0
      - itsdangerous==2.2.0
      - jinja2==3.1.4
      - ldap3==2.9.1
      - ldapdomaindump==0.9.4
      - markupsafe==2.1.5
      - pyasn1==0.6.0
      - pycparser==2.22
      - pycryptodome==3.20.0
      - pycryptodomex==3.20.0
      - pyopenssl==24.2.1
      - requests==2.32.3
      - six==1.16.0
      - urllib3==2.2.2
      - webscreenshot==2.94
      - werkzeug==3.0.3
prefix: /usr/share/miniconda/envs/condaenvtest

Cheers !

michaelkedar commented 1 month ago

Just wanted to note: conda is its own packaging ecosystem that is not currently in OSV (also, from a quick look, Anaconda seems to only provide CVE information as part of their paid tiers). I don't really think that it's possible for us to support scanning for the conda packages.

That said, we should be able to support packages in conda environments that were installed through pip, which seem to be the ones with the =pypi_0 build / the ones listed under pip:.