search

sonatype-nexus-community / jake

Check your Python environments for vulnerable Open Source packages with OSS Index or Sonatype Nexus Lifecycle.
https://jake.readthedocs.io/
Apache License 2.0
111 stars 24 forks source link

[BUG] Conda scanner not recognizing known vulnerability #150

Open vramirez333 opened 7 months ago

vramirez333 commented 7 months ago

Describe the bug I can't get Jake-conda scanner to recognize known vulnerabilities. Based on a screenshot from this Jake-Sonatype documentation (https://blog.sonatype.com/how-to-easily-identify-conda-vulnerabilities-using-sonatype-jake), I should get a vulnerability when I scan for this Conda dependency: openssl@1.1.1d. However, when I run the scanner, there are zero vulnerabilities found.

Please help me reproduce this or any other conda dependency vulnerabilities.

To Reproduce Steps to reproduce the behavior:

  1. Convert this environment.yml file-code to conda list explicit:

name: jake-test channels:

  1. Once the conda explicit list is available (env.txt), run the Jake conda scanner against it using the following command: 'jake -w ddt -t CONDA -f "env.txt"'

  2. The Jake-conda scanner results will show 6 Audited Vulnerabilities and 0 Vulnerabilities Found.

Expected behavior Based on the Sonatype documentation in the shared link, above, I expect the Jake-conda scanner to return at least 1 Vulnerability Found in the scan results.

Screenshots Screenshot from Sonatype link, showing known vulnerability: MicrosoftTeams-image (14)

Here are my actual results showing no vulnerabilities. The results are from an Azure DevOps pipeline: actual scan results

Here is what the env.txt file looks like: env txt contents

Desktop (please complete the following information): -conda version 23.11.0 -running code in Azure DevOps

Additional context My goal is to reproduce any vulnerabilities using Jake's Conda scanner.