-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE] Support conda-lock files #66
Comments
@itamarst This would be great!
Yes, this following are mostly the same:
A notable departure:
Right: the format of the list of packages from either tool is interesting, as it's not only a set of packages, but also a topological sorting of their install order, which can be exploited for caching schemes, resolving duplicate paths, etc. As you're calling out And, of note, one can install |
This is a cool idea, all for it. Stoked y'all dig the tool! @allenhsieh and I wrote this a few years ago because we really like |
fix: character encoding issues on Windows #67 Signed-off-by: Paul Horton <[email protected]>
@itamarst - FYI we've added Conda support in
We're looking next into supporting Conda and other input formats when running FYI: @DarthHater , @bollwyvl |
Nice: I'm making some progress towards getting the conda-forge package up and running. Of note, during a self-test, I found some more exotic package names aren't very well supported:
|
Thanks @bollwyvl - will take a look at that package... - can you share a complete output that includes the above package from either Thanks |
Sure, here are a bunch of widely-used lockfiles that get deployed thousands of time a day: |
@bollwyvl - I've done a bit more digging on this, and specifically the example you've provided above. FYI - the parsing of Conda lock files is actually handled by a parent library to This project includes a parser for parsing conda lock files and already has a unit test specifically for the example you have above, which passes: https://github.com/CycloneDX/cyclonedx-python/blob/master/tests/test_utils_conda.py#L112 Am I missing something, or have you perhaps provided the incorrect example (before I go down a rabbit hole!)? Thanks |
Yeah, as a downstream packager of these packages, I'm only just keeping up with the recent spate of package renamings and versions, and haven't evaluated whether lockfiles work in a while. Once these land, I'll have a better idea: I've added the test case i tried in october to the latter, so we'll probably know more later this week. |
Well, we've shipped Of note, there are a great number of packages that aren't python-related in conda(-forge), so blanket assuming a lot of stuff is in the Meanwhile, when a package does correspond to one in pypi, but has a different name, there is a semi-authoritative mapping. I don't see any good examples here, but its common for things where the pypi name is a pun for the underlying c library, e.g. |
Thanks @bollwyvl - as ever, super insightful info and feedback. I'll ponder the two key points and see if there are any options we can employ to help. |
On the point about generating an SBOM for it's own environment, can you share a little more, or can we consider #66 closed? |
https://github.com/conda-incubator/conda-lock/ includes a transitive pinned list of packages to install in a Conda environment, to allow for reproducible builds. I am fairly certain it contains the same information as
conda list
.It would be nice to be able to scan for vulnerabilities using this file, because then one wouldn't have to actually install the packages to check for vulnerabilities.
Unlike
environment.yml
, it should contain a complete list of packages that will be installed, so there's no worry about extra dependencies being installed and not scanned for vulnerable releases.Write a parser for
conda-lock
output files. Should be pretty simple:Thank you for writing this tool! I'm writing a blog post about it right now.
cc @bhamail / @DarthHater
The text was updated successfully, but these errors were encountered: