[BUG] Unreliable result when using STDIN / conda list

[1-some]

Describe the bug I'm tying to test / use jake 3.0.0 in a conda environment, but seem to get an inconsistent result (or perhaps I do not understand it correctly). When having a conda environment active with only jake installed in it, the basic command will give me 52 audited dependencies and 2 vulnerabilities. If I repeat the same with in combination with a conda list, I get 58 audited dependencies and 0 vulnerabilities. And no matter what, in combination with conda list I always get 0 vulnerabilities, for any environment, which seems inaccurate. If I need to supply more info, please let me know.

To Reproduce Steps to reproduce the behavior:

1. Run conda activate [my_env]
2. Run jake ddt
3. Report: 52 audited dependencies and 2 vulnerabilities

And the other approach:

1. Run conda activate [my_env]
2. Run conda list --explicit --md5 | jake ddt -t CONDA
3. Report: 58 audited dependencies and 0 vulnerabilities

Expected behavior For the first command I'd say I miss 6 audited dependencies (there are 58 dependencies in the active environment), and for the latter command I'd say I miss the reported 2 vulnerabilities.

Screenshots First command:

Second command:

Desktop (please complete the following information):

• OS: Windows 10
• Python Version: tested with 3.9.7 and 3.10.9
• Version 3.0.0

Additional context Also conda list -n [my_other_env] --explicit --md5 | jake ddt -t CONDA gives 0 vulnerabilities for any environment I try (of which some have vulnerabilities). The amount of audited dependencies does change, so that seems correct. I've installed jake 3.0.0 via conda from conda-forge.

[epassaro]

I have the same problem!

Piping conda list --name <environment_name> --explicit | jake ddt -t CONDA does not work as expected. Neither dumping the result to a .txt file and running jake with the -f flag.

The best result is given when running jake ddt inside the activated environment. That's not really great, because I need to install jake in the environment I want to test.

---

EDIT: I've been doing some experiments after installing the following test environment:

name: example

channels:
  - conda-forge

dependencies:
  - python =3.10
  - flask =2.2.2  
  - numpy =1.21.5

(note: also tried using the main channel, the same result)

and concluded:

• Piping conda list --name example | jake ddt -t CONDA returns the correct number of dependencies (37) but 0 vulnerabilities are detected (this is not correct, both numpy and flask have vulnerabilities in those versions).
• Installing jake in the same env and running jake ddt with the example environment activated returns the correct number of dependencies (44, counting jake and its deps) and 5 vulnerabilities (that seems correct).

cc @bhamail / @DarthHater

[vvoutilainen]

Can confirm. With the conda environment selected, running

jake ddt -t ENV

scans the packages found with pip list. However, as the OP writes, either of the commands

conda list --explicit --md5 | jake ddt -t CONDA
conda list --json | jake ddt -t CONDA_JSON

scan all packages found by conda (from conda --list, which results in more packages than pip list) but always yields zero vulnerabilities, although some of the packages are the same as in the default case above and have known vulnerabilities.

[riccardoporreca]

@vvoutilainen, @epassaro, the key difference is that -t CONDA and -t CONDA_JSON look at vulnerabilities for the set of conda packages in the conda environment, whereas -t ENV (and -t PIP) looks at pypi packages.

This is the reason why there are more packages on the conda side (likely due to non-python conda packages), but on the other hand there are usually less known vulnerabilities on the OSS index for conda packages compared to pypi packages.

Example

• pkg:conda/ruamel.yaml@0.17.21 => This version of ruamel.yaml has no known vulnerabilities! 🎉
• pkg:pypi/ruamel.yaml@0.17.2 => Vulnerabilities 1 CRITICAL

If you are looking for a way of using jake to report pypi vulnerabilities of a conda environment w/o running jake from within the environment (via -t ENV), something along the lines of

conda run --name <environment_name> pip list --format=freeze| jake ddt -t PIP

would do, and does not even require to ever activate the conda environment explicitly. The only assumption is that pip is available in the conda environment (there would be ways to work around this if needed).