trivy
trivy copied to clipboard
Published
3 weeks ago
•
aquasecurity
aquasecurity
bug(conda): pip dependencies are not supported in new Conda integration
Discussed in https://github.com/aquasecurity/trivy/discussions/6658
Originally posted by kutkopy May 8, 2024
Description
The new Conda integration in v.0.51.1 is currently not supporting pip-Dependencies within environment.yml-files, even though this is a full feature from Conda. In particular pip-dependencies in an environment.yml-file (as shown below) are not supported:
name: test-environment
dependencies:
- python==3.10.*
- pip==23.2.*
- scikit-learn==1.3.*
- pip:
- pandas==2.1.*
Even with pinned versions:
name: test-environment
channels:
- https://conda.anaconda.org/conda-forge
- conda-forge
- fastchan
- pytorch
dependencies:
- bzip2=1.0.8=h93a5062_5
- ca-certificates=2024.2.2=hf0a4a13_0
- joblib=1.4.2=pyhd8ed1ab_0
- libblas=3.9.0=22_osxarm64_openblas
- libcblas=3.9.0=22_osxarm64_openblas
- libcxx=17.0.6=h5f092b4_0
- libffi=3.4.2=h3422bc3_5
- libgfortran=5.0.0=13_2_0_hd922786_3
- libgfortran5=13.2.0=hf226fd6_3
- liblapack=3.9.0=22_osxarm64_openblas
- libopenblas=0.3.27=openmp_h6c19121_0
- libsqlite=3.45.3=h091b4b1_0
- libzlib=1.2.13=h53f4e23_5
- llvm-openmp=18.1.5=hde57baf_0
- ncurses=6.4.20240210=h078ce10_0
- numpy=1.26.4=py310hd45542a_0
- openssl=3.3.0=h0d3ecfb_0
- pip=23.2.1=pyhd8ed1ab_0
- python=3.10.14=h2469fbe_0_cpython
- python_abi=3.10=4_cp310
- readline=8.2=h92ec313_1
- scikit-learn=1.3.2=py310h417b086_2
- scipy=1.13.0=py310h7057308_1
- setuptools=69.5.1=pyhd8ed1ab_0
- threadpoolctl=3.5.0=pyhc1e730c_0
- tk=8.6.13=h5083fa2_1
- wheel=0.43.0=pyhd8ed1ab_1
- xz=5.2.6=h57fd34a_0
- pip:
- pandas==2.1.4
- python-dateutil==2.9.0.post0
- pytz==2024.1
- six==1.16.0
- tzdata==2024.1
prefix: /Users/michael/opt/miniconda3/envs/test-environment
And lead to the following error:
[conda] Unable to detect the dependency versions from `environment.yml` as those versions are not pinned. Use `conda env export` to pin versions.
Desired Behavior
All types of dependencies (conda and pip) should be detected in an environment.yml-file and be scanned correctly by trivy.
Actual Behavior
pip-dependencies are currently not detected correctly and can therefore be not scanned by the current approach.
Reproduction Steps
1. Create an environment.yml file with a pip-dependency (see example above)
2. Create conda environment
conda env update -f environment.yml
3. Export conda environment to get pinned versions
conda env export -n test-environment -f environment.yml
4. Create SBOM of directory residing the pinned environment.yml file:
trivy filesystem . --scanners vuln --timeout 10m --format cyclonedx >./reports/sbom-scan-vuln.cdx.json
(If I remove the pip-dependencies from the pinned environment.yml file, the above command works fine).
Target
SBOM
Scanner
Vulnerability
Output Format
CycloneDX
Mode
Standalone
Debug Output
2024-05-08T08:53:22+02:00 DEBUG ["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2024-05-08T08:53:22+02:00 DEBUG Parsed severities severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-05-08T08:53:22+02:00 DEBUG Ignore statuses statuses=[]
2024-05-08T08:53:22+02:00 DEBUG Cache dir dir="/Users/michael/Library/Caches/trivy"
2024-05-08T08:53:22+02:00 DEBUG DB update was skipped because the local DB is the latest
2024-05-08T08:53:22+02:00 DEBUG DB info schema=2 updated_at=2024-05-08T06:12:21.400321152Z next_update=2024-05-08T12:12:21.400320861Z downloaded_at=2024-05-08T06:45:13.353111Z
2024-05-08T08:53:22+02:00 INFO Vulnerability scanning is enabled
2024-05-08T08:53:22+02:00 DEBUG Vulnerability type type=[os library]
2024-05-08T08:53:22+02:00 DEBUG Enabling misconfiguration scanners scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-05-08T08:53:22+02:00 DEBUG [nuget] The nuget packages directory couldn't be found. License search disabled
panic: runtime error: index out of range [0] with length 0
goroutine 39 [running]:
github.com/aquasecurity/trivy/pkg/dependency/parser/conda/environment.(*Parser).parseDependency(0x14d0?, {0x0, 0x0})
/home/runner/work/trivy/trivy/pkg/dependency/parser/conda/environment/parse.go:89 +0x1d0
github.com/aquasecurity/trivy/pkg/dependency/parser/conda/environment.(*Parser).toLibrary(0x140027d2000, {{0x0?, 0x14003f27b01?}, 0x10213812c?})
/home/runner/work/trivy/trivy/pkg/dependency/parser/conda/environment/parse.go:59 +0x40
github.com/aquasecurity/trivy/pkg/dependency/parser/conda/environment.(*Parser).Parse(0x140027d2000, {0x10ac9b3d0, 0x14001e8cf30})
/home/runner/work/trivy/trivy/pkg/dependency/parser/conda/environment/parse.go:46 +0x268
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language.Parse({0x1081c3fc2, 0x11}, {0x14002fa5e40, 0xf}, {0x10abfaf80?, 0x14001e8cf30?}, {0x10ac0fc40, 0x140027d2000})
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/analyze.go:52 +0xac
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language.Analyze({0x1081c3fc2?, 0x11?}, {0x14002fa5e40, 0xf}, {0x10ac9b3d0?, 0x14001e8cf30?}, {0x10ac0fc40?, 0x140027d2000?})
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/analyze.go:20 +0x5c
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/conda/environment.environmentAnalyzer.Analyze({}, {0x0?, 0x0?}, {{0x16dcd75d1, 0x1}, {0x14002fa5e40, 0xf}, {0x10acb88a8, 0x140029bcd00}, {0x10ac9b3d0, ...}, ...})
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/conda/environment/environment.go:25 +0xb0
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.AnalyzeFile.func1({0x10acacdc8?, 0x10e5b3a80?}, {0x10acaadd0?, 0x14001e8cf30?})
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:432 +0x184
created by github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.AnalyzeFile in goroutine 1
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:427 +0x3bc
Operating System
macOS 14.4.1 (but also on Ubuntu)
Version
Version: 0.51.1
Checklist
- [ ] Run
trivy image --reset - [X] Read the troubleshooting
