Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Modifiers in Conda package URL not handled by OSS Index #19

Open
riccardoporreca opened this issue Nov 6, 2023 · 1 comment
Open

Modifiers in Conda package URL not handled by OSS Index #19

riccardoporreca opened this issue Nov 6, 2023 · 1 comment

Comments

@riccardoporreca
Copy link

riccardoporreca commented Nov 6, 2023

I am trying to use jake to query vulnerabilties of conda package as listed from an environment.

This constructs a Conda packge URL (purl) as described in https://github.com/package-url/purl-spec/blob/f729aec79e3e13ac709d6675788634e53fe4d571/PURL-TYPES.rst#conda, which includes a number of qualifiers, e.g.

pkg:conda/[email protected]?build=py36h06a4308_0&channel=main&subdir=linux-64&type=tar.bz2

However, the OSS index component report (and underlying API) are not able to retrieve vulnerabilities maintained in the OSS index agnostic of such modifiers, i.e. for pkg:conda/pkg-name@version only

Example

from ossindex.ossindex import OssIndex
from ossindex.model import Vulnerability, OssIndexComponent
from packageurl import PackageURL
o = OssIndex()
results: list[OssIndexComponent] = o.get_component_report(packages=[
    PackageURL.from_string(purl='pkg:pypi/[email protected]'),
    PackageURL.from_string(purl='pkg:conda/[email protected]?build=py39h295c915_0&channel=main&subdir=linux-64&type=conda'),
    PackageURL.from_string(purl='pkg:conda/[email protected]'),
])
for r in results:
    print("{}: {} known vulnerabilities".format(r.coordinates, len(r.vulnerabilities)))
    v: Vulnerability
    for v in r.vulnerabilities:
        print('    - {}'.format(str(v)))

yields

pkg:pypi/[email protected]: 1 known vulnerabilities
    - <Vulnerability id=CVE-2020-13091, name=CVE-2020-13091, cvss_score=9.8>
pkg:conda/[email protected]?build=py39h295c915_0&channel=main&subdir=linux-64&type=conda: 0 known vulnerabilities
pkg:conda/[email protected]: 1 known vulnerabilities
    - <Vulnerability id=CVE-2020-13091, name=CVE-2020-13091, cvss_score=9.8>
@riccardoporreca
Copy link
Author

This might be a (known) limitation of the OSS index for conda packages, where vulnerabilities are not maintained for the fully-qualified package URL. If that is the case, one might use only the pkg:conda/pkg-name@version part when using the OSS Index API

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant