Open 1-some opened 1 year ago
I have the same problem!
Piping conda list --name <environment_name> --explicit | jake ddt -t CONDA
does not work as expected. Neither dumping the result to a .txt
file and running jake
with the -f
flag.
The best result is given when running jake ddt
inside the activated environment. That's not really great, because I need to install jake
in the environment I want to test.
EDIT: I've been doing some experiments after installing the following test environment:
name: example
channels:
- conda-forge
dependencies:
- python =3.10
- flask =2.2.2
- numpy =1.21.5
(note: also tried using the
main
channel, the same result)
and concluded:
conda list --name example | jake ddt -t CONDA
returns the correct number of dependencies (37) but 0 vulnerabilities are detected (this is not correct, both numpy
and flask
have vulnerabilities in those versions).jake
in the same env and running jake ddt
with the example
environment activated returns the correct number of dependencies (44, counting jake
and its deps) and 5 vulnerabilities (that seems correct).cc @bhamail / @DarthHater
Can confirm. With the conda environment selected, running
jake ddt -t ENV
scans the packages found with pip list
. However, as the OP writes, either of the commands
conda list --explicit --md5 | jake ddt -t CONDA
conda list --json | jake ddt -t CONDA_JSON
scan all packages found by conda (from conda --list
, which results in more packages than pip list
) but always yields zero vulnerabilities, although some of the packages are the same as in the default case above and have known vulnerabilities.
@vvoutilainen, @epassaro, the key difference is that -t CONDA
and -t CONDA_JSON
look at vulnerabilities for the set of conda packages in the conda environment, whereas -t ENV
(and -t PIP
) looks at pypi packages.
This is the reason why there are more packages on the conda side (likely due to non-python conda packages), but on the other hand there are usually less known vulnerabilities on the OSS index for conda packages compared to pypi packages.
Example
If you are looking for a way of using jake
to report pypi vulnerabilities of a conda environment w/o running jake from within the environment (via -t ENV
), something along the lines of
conda run --name <environment_name> pip list --format=freeze| jake ddt -t PIP
would do, and does not even require to ever activate the conda environment explicitly. The only assumption is that pip
is available in the conda environment (there would be ways to work around this if needed).
Describe the bug I'm tying to test / use jake 3.0.0 in a conda environment, but seem to get an inconsistent result (or perhaps I do not understand it correctly). When having a conda environment active with only jake installed in it, the basic command will give me 52 audited dependencies and 2 vulnerabilities. If I repeat the same with in combination with a
conda list
, I get 58 audited dependencies and 0 vulnerabilities. And no matter what, in combination withconda list
I always get 0 vulnerabilities, for any environment, which seems inaccurate. If I need to supply more info, please let me know.To Reproduce Steps to reproduce the behavior:
conda activate [my_env]
jake ddt
And the other approach:
conda activate [my_env]
conda list --explicit --md5 | jake ddt -t CONDA
Expected behavior For the first command I'd say I miss 6 audited dependencies (there are 58 dependencies in the active environment), and for the latter command I'd say I miss the reported 2 vulnerabilities.
Screenshots First command:
Second command:
Desktop (please complete the following information):
Additional context Also
conda list -n [my_other_env] --explicit --md5 | jake ddt -t CONDA
gives 0 vulnerabilities for any environment I try (of which some have vulnerabilities). The amount of audited dependencies does change, so that seems correct. I've installed jake 3.0.0 via conda from conda-forge.