trivy image doesn't scan conda environment files

[duncanmmacleod]

Description

Running trivy image over a newly created container image that includes a Conda-style environment.yml file doesn't scan the file and produce any SBOM entries.

I'm new to using trivy, so I am fairly confident that this is user error and I just don't know the correct combination of options.

Desired Behavior

The image scanner would detect the environment.yml file, parse it, and include SBOM entries for each package of the format:

  ...
  "components": {
    ...
    {
      "bom-ref": "b03b267f-d825-4659-8724-9433ba8961a0",
      "type": "library",
      "name": "python",
      "version": "3.13.0",
      "purl": "pkg:conda/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "conda-environment"
        }
      ]
    },
    ...

Actual Behavior

The SBOM included system packages, but nothing from conda.

Reproduction Steps

# 1.  Create an environment.yml file
cat > environment.yml << ENVIRONMENT
dependencies:
  - python=3.13.0
ENVIRONMENT

# 2.  Create a `Dockerfile` that copies that environment.yml into an image:
cat > Dockerfile << DOCKERFILE
FROM alpine
COPY environment.yml /
DOCKERFILE

# 3.  Build the image
docker build . --tag trivyconda:test

# 4.  Scan the image
trivy image trivyconda:test --format cyclonedx --output sbom.json

Target

Container Image

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Debug Output

2024-11-20T19:54:38Z    DEBUG   No plugins loaded
2024-11-20T19:54:38Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2024-11-20T19:54:38Z    DEBUG   Cache dir       dir="/home/duncan/.cache/trivy"
2024-11-20T19:54:38Z    DEBUG   Cache dir       dir="/home/duncan/.cache/trivy"
2024-11-20T19:54:38Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-11-20T19:54:38Z    DEBUG   Ignore statuses statuses=[]
2024-11-20T19:54:38Z    DEBUG   [pkg] Package types     types=[os library]
2024-11-20T19:54:38Z    DEBUG   [pkg] Package relationships     relationships=[unknown root direct indirect]
2024-11-20T19:54:38Z    INFO    [license] License scanning is enabled
2024-11-20T19:54:38Z    DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-11-20T19:54:38Z    DEBUG   Initializing scan cache...      type="fs"
2024-11-20T19:54:38Z    DEBUG   [image] Detected image ID       image_id="sha256:2d8bcf364574225511d0810239a697df35723d2c0e1ffcad93ae293cdcdc24a7"
2024-11-20T19:54:38Z    DEBUG   [image] Detected diff ID        diff_ids=[sha256:63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85 sha256:333aea0cc188aff61d9fe67eaa1389487e2307e03019e2fc605cac2defdb8e59]
2024-11-20T19:54:38Z    DEBUG   [image] Detected base layers    diff_ids=[sha256:63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85]
2024-11-20T19:54:38Z    INFO    Detected OS     family="alpine" version="3.20.3"
2024-11-20T19:54:38Z    INFO    Number of language-specific files       num=0
2024-11-20T19:54:38Z    DEBUG   [vex] VEX filtering is disabled

Operating System

Debian 12 (WSL)

Version

Version: 0.57.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-11-20 06:16:36.195555824 +0000 UTC
  NextUpdate: 2024-11-21 06:16:36.195555543 +0000 UTC
  DownloadedAt: 2024-11-20 10:27:28.347759749 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-11-20 03:56:46.321623456 +0000 UTC
  NextUpdate: 2024-11-23 03:56:46.321623336 +0000 UTC
  DownloadedAt: 2024-11-20 10:47:58.175667645 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[knqyf263]

@DmitriyLewen Seems like Conda environment.yaml is not documented here.
https://aquasecurity.github.io/trivy/v0.57/docs/coverage/language/

[DmitriyLewen]

We moved conda to others - https://trivy.dev/v0.57/docs/coverage/others/conda/
But we need to create a table with modes (I mean fs/image/etc).
I will do it.

[knqyf263]

We moved conda to others - https://trivy.dev/v0.57/docs/coverage/others/conda/

Yes, but conda packages are still remaining in Language. We need to update it.

[DmitriyLewen]

Created #7972

[DmitriyLewen]

@duncanmmacleod I created #7972 to update docs to avoid confusing.
Trivy scans environment.yml files only in fs and repo modes.

In image mode Trivy scans only <conda-root>/envs/<env>/conda-meta/<package>.json files.

[duncanmmacleod]

Thanks @DmitriyLewen, this explains the (deliberate) feature difference.

I might open a feature request to enable scanning conda environments in a prefix outside of <conda-root>, but that would be a separate discussion to this one.

I'm not clear on the etiquette with GitHub discussions, should this now be closed?

[DmitriyLewen]

We use .*/envs/.+/conda-meta/.+-.+-.+\.json regex to detect json files.
Do you think we can improve it?

[duncanmmacleod]

@DmitriyLewen I created #7976 to discuss this independently, in which I suggested an improved regex (basically just remove the envs/.+ component to allow detection of isolated environments outside of the base conda distribution tree.