Conda ecosystem support (basic)

[SimeonStoykovQC]

Description

This PR introduces basic support for sbom generation of packages in conda environments.

Status Quo

Up until now, syft had limited capabilities in conda environments and relied on language-specific catalogers (e.g. python and go). This meant that it wouldn't detect packages such as zlib, even though the metadata needed is already accessible.

Scope

The scope of this PR is to provide a minimum-effort conda support with the metadata that is already available, until the syft/grype and conda ecosystems decide on a more comprehensive approach (see #932 and conda/ceps#63).

The known shortcomings of this implementation are:

• PURLs are not included at all, since we cannot generate meaningful ones yet;
• The CPEs are best-effort, as we derive them from the conda package name, which could be arbitrary even in the case of repackaging (for example, the helm package in conda is named kubernetes-helm, which won't match any existing helm CVEs);
• Any statically linked transitive dependencies are not detected;
• There will be duplicate sboms for packages that were already detected before.

Implementation

The implementation partially addresses #932.

Each installed package in a conda environment produces a JSON metadata file inside the conda-meta directory. It provides a name and a version, among other things, and we use that to construct a package list.

Type of change

• New feature (non-breaking change which adds functionality)

Checklist:

• I have added unit tests that cover changed behavior
• I have tested my code in common scenarios and confirmed there are no regressions
• I have added comments to my code, particularly in hard-to-understand sections

[xhochy]

Thank you, @SimeonStoykovQC! This already looks like a first sensible version that successfully produces found vulnerabilities in grype, nice. I'm only a conda expert, not a Go one and thus cannot provide more review of the code than LGTM.

Any statically linked transitive dependencies are not detected;

This is probably the same as in every other ecosystem. Neither do they detect it. The plan for the cond ecosystem is to follow what PyPI/Python did with PEP770: Include SBOMs in packages that ship statically linked packages.

For the PURLs: This will be addressed in the linked Conda Enhancement Proposal, and I know that @pavelzw is working on revamping this and getting it over the finish line. I guess this PR here should not be blocked by that, though.

[spiffcs]

Kicked off the CI Checks. CODE LGTM - If there are any failures I'll jump in and try to fix them

[spiffcs]

@ SimeonStoykovQC I'm on a livestream at the moment but will take a look at these failures when I have a second.

[SimeonStoykovQC]

Thanks, I will take a look again tomorrow (CET timezone) in case any code fixes are needed.

[SimeonStoykovQC]

Hey @spiffcs, I think the functionality tests pass, but the new conda package type and cataloger need to be added in a few places. Do you have time to help with this and make the CI green? Happy to do it myself if I have rights for running the CI.

[spiffcs]

Yes! I've been cruising down the PR track today and will take a look here. It's getting a bit late in the day so maybe tonight or tomorrow, but it's now on my ever expanding txt file of TODOs to tackle this week 😄

[spiffcs]

A few things came up today so I've been trying to work through the surprise WIP, but this is still very high on my - fix and get more PRS across the line in syft list.

[SimeonStoykovQC]

Hey, no problem, let me know if we can split the work.

[spiffcs]

updated static analysis to generate new schema because of the new metadata type
This might need to be regenerated again as there are a couple schema PR in queue. I'll update the tests so that they are green and then speak with the team in the AM about the order to merge some of the outstanding WIP that all have schema updates.

Edit: This one is ready so it wins the schema race. Doing one more quick PR review before merge