Comments (11)
@itamarst This would be great!
I am fairly certain it contains the same information as
conda list
.
Yes, this following are mostly the same:
conda-lock [--file ...]
(where file can be a couple of formats)conda list --explicit
in an existing environment
A notable departure: conda-lock
adds a few more comment lines which capture the relevant platform. It can also make use of mamba
, which can be quite a bit snappier, especially for complex windows solves.
extra dependencies being installed and not scanned for vulnerable releases.
Right: the format of the list of packages from either tool is interesting, as it's not only a set of packages, but also a topological sorting of their install order, which can be exploited for caching schemes, resolving duplicate paths, etc.
As you're calling out conda-forge
... it doesn't look like jake
can even handle those packages yet... this issue might be mis-filed, but has some of the thoughts we came up with, as well as this discussion issue.
And, of note, one can install jake<1
from conda-forge... we're working on jake==1
but will have some back-filling to do for various new upstreams.
from jake.
This is a cool idea, all for it. Stoked y'all dig the tool! @allenhsieh and I wrote this a few years ago because we really like jake the snake
(just kidding, or maybe?!)
from jake.
@itamarst - FYI we've added Conda support in jake
when generating an SBOM:
conda list --explicit | jake sbom -t CONDA
We're looking next into supporting Conda and other input formats when running ddt
and iq
subcommands (which currently just reads what's installed in your current Python Environment).
FYI: @DarthHater , @bollwyvl
from jake.
Nice: I'm making some progress towards getting the conda-forge package up and running. Of note, during a self-test, I found some more exotic package names aren't very well supported:
https://conda.anaconda.org/conda-forge/linux-64/_libgcc_mutex-0.1-conda_forge.tar.bz2
See conda-forge/jake-feedstock#3 (comment)
from jake.
Thanks @bollwyvl - will take a look at that package... - can you share a complete output that includes the above package from either conda list --explicit
and/or conda list --json
?
Thanks
from jake.
Sure, here are a bunch of widely-used lockfiles that get deployed thousands of time a day:
from jake.
@bollwyvl - I've done a bit more digging on this, and specifically the example you've provided above.
FYI - the parsing of Conda lock files is actually handled by a parent library to jake
- cylconedx-python
.
This project includes a parser for parsing conda lock files and already has a unit test specifically for the example you have above, which passes: https://github.com/CycloneDX/cyclonedx-python/blob/master/tests/test_utils_conda.py#L112
Am I missing something, or have you perhaps provided the incorrect example (before I go down a rabbit hole!)?
Thanks
from jake.
Yeah, as a downstream packager of these packages, I'm only just keeping up with the recent spate of package renamings and versions, and haven't evaluated whether lockfiles work in a while. Once these land, I'll have a better idea:
I've added the test case i tried in october to the latter, so we'll probably know more later this week.
from jake.
Well, we've shipped jake 1.4.0
on conda-forge, and it looks like it can successfully generate an sbom for its own environment... sorta.
Of note, there are a great number of packages that aren't python-related in conda(-forge), so blanket assuming a lot of stuff is in the pypi
namespace is probably inaccurate, a la pkg:pypi/[email protected]
(or more humorously, pkg:pypi/[email protected]
), but that's probably more akin to the even further-upstream problem.
Meanwhile, when a package does correspond to one in pypi, but has a different name, there is a semi-authoritative mapping. I don't see any good examples here, but its common for things where the pypi name is a pun for the underlying c library, e.g. msgpack
-> msgpack-python
.
from jake.
Thanks @bollwyvl - as ever, super insightful info and feedback. I'll ponder the two key points and see if there are any options we can employ to help.
from jake.
On the point about generating an SBOM for it's own environment, can you share a little more, or can we consider #66 closed?
from jake.
Related Issues (20)
- [FEATURE] Type check `jake` PEP-561 HOT 1
- [CI] Streamline CI Jobs
- [BUG] Jake crashes on ddt scan "AttributeError: 'OssIndexComponent' object has no attribute 'has_known_vulnerabilities'" HOT 3
- [BUG] Typo in --schema-version argument HOT 1
- [BUG] jake ddt failure: unexpected keyword argument 'sonatype_ossi_score' HOT 13
- [BUG] KeyError: 'displayName' HOT 3
- [FEATURE] Confirm support for updated data in OSSIndex
- [BUG] Jake ddt does not honor Python virtual environments HOT 1
- [FEATURE] update rich dependency HOT 3
- [BUG] - "CWE-noinfo" not handled HOT 3
- [BUG] -f option uses wrong encoding (cp1252) on Windows for UTF-8 files
- [BUG] jake ddt fails with ValueError: invalid literal for int() with base 10: 'noinfo' - both v2.1.1 and v3 HOT 17
- [FEATURE] Deprecate support for Python 3.6
- [FEATURE] Officially support Python 3.11
- [FEATURE] Update to `poetry` `1.4.0` HOT 1
- [BUG] Unreliable result when using STDIN / conda list HOT 3
- [FEATURE] support cyclonedx-bom's -pb flag
- [FEATURE] Remove dependency Pin to Rich HOT 1
- [BUG] No reported vulnerability for conda packages
- [BUG] Conda scanner not recognizing known vulnerability
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jake.