Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Unreliable result when using STDIN / conda list #139

Open
1-some opened this issue Mar 23, 2023 · 3 comments
Open

[BUG] Unreliable result when using STDIN / conda list #139

1-some opened this issue Mar 23, 2023 · 3 comments
Labels
bug Something isn't working

Comments

@1-some
Copy link

1-some commented Mar 23, 2023

Describe the bug
I'm tying to test / use jake 3.0.0 in a conda environment, but seem to get an inconsistent result (or perhaps I do not understand it correctly). When having a conda environment active with only jake installed in it, the basic command will give me 52 audited dependencies and 2 vulnerabilities. If I repeat the same with in combination with a conda list, I get 58 audited dependencies and 0 vulnerabilities. And no matter what, in combination with conda list I always get 0 vulnerabilities, for any environment, which seems inaccurate. If I need to supply more info, please let me know.

To Reproduce
Steps to reproduce the behavior:

  1. Run conda activate [my_env]
  2. Run jake ddt
  3. Report: 52 audited dependencies and 2 vulnerabilities

And the other approach:

  1. Run conda activate [my_env]
  2. Run conda list --explicit --md5 | jake ddt -t CONDA
  3. Report: 58 audited dependencies and 0 vulnerabilities

Expected behavior
For the first command I'd say I miss 6 audited dependencies (there are 58 dependencies in the active environment), and for the latter command I'd say I miss the reported 2 vulnerabilities.

Screenshots
First command:
jake_command_with_vulnerabilities

Second command:
jake_command_without_vulnerabilities

Desktop (please complete the following information):

  • OS: Windows 10
  • Python Version: tested with 3.9.7 and 3.10.9
  • Version 3.0.0

Additional context
Also conda list -n [my_other_env] --explicit --md5 | jake ddt -t CONDA gives 0 vulnerabilities for any environment I try (of which some have vulnerabilities). The amount of audited dependencies does change, so that seems correct. I've installed jake 3.0.0 via conda from conda-forge.

@epassaro
Copy link

epassaro commented May 8, 2023

I have the same problem!

Piping conda list --name <environment_name> --explicit | jake ddt -t CONDA does not work as expected. Neither dumping the result to a .txt file and running jake with the -f flag.

The best result is given when running jake ddt inside the activated environment. That's not really great, because I need to install jake in the environment I want to test.


EDIT: I've been doing some experiments after installing the following test environment:

name: example

channels:
  - conda-forge

dependencies:
  - python =3.10
  - flask =2.2.2  
  - numpy =1.21.5

(note: also tried using the main channel, the same result)

and concluded:

  • Piping conda list --name example | jake ddt -t CONDA returns the correct number of dependencies (37) but 0 vulnerabilities are detected (this is not correct, both numpy and flask have vulnerabilities in those versions).
  • Installing jake in the same env and running jake ddt with the example environment activated returns the correct number of dependencies (44, counting jake and its deps) and 5 vulnerabilities (that seems correct).

cc @bhamail / @DarthHater

@vvoutilainen
Copy link

vvoutilainen commented May 27, 2023

Can confirm. With the conda environment selected, running

jake ddt -t ENV

scans the packages found with pip list. However, as the OP writes, either of the commands

conda list --explicit --md5 | jake ddt -t CONDA
conda list --json | jake ddt -t CONDA_JSON

scan all packages found by conda (from conda --list, which results in more packages than pip list) but always yields zero vulnerabilities, although some of the packages are the same as in the default case above and have known vulnerabilities.

@riccardoporreca
Copy link

@vvoutilainen, @epassaro, the key difference is that -t CONDA and -t CONDA_JSON look at vulnerabilities for the set of conda packages in the conda environment, whereas -t ENV (and -t PIP) looks at pypi packages.

This is the reason why there are more packages on the conda side (likely due to non-python conda packages), but on the other hand there are usually less known vulnerabilities on the OSS index for conda packages compared to pypi packages.

Example

If you are looking for a way of using jake to report pypi vulnerabilities of a conda environment w/o running jake from within the environment (via -t ENV), something along the lines of

conda run --name <environment_name> pip list --format=freeze| jake ddt -t PIP

would do, and does not even require to ever activate the conda environment explicitly. The only assumption is that pip is available in the conda environment (there would be ways to work around this if needed).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants