Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Conda ecosystem support #932

Open
rigzba21 opened this issue Mar 31, 2022 · 18 comments
Open

Conda ecosystem support #932

rigzba21 opened this issue Mar 31, 2022 · 18 comments
Labels
enhancement New feature or request good-first-issue Good for newcomers new-cataloger

Comments

@rigzba21
Copy link

Hi all!

What would you like to be added:
Conda ecosystem (language agnostic) support

Why is this needed:
The conda ecosystem provides an amazing way to work with dependencies in terms of environments and is used heavily in the Data Science and Scientific Computing communities.

Additional context:
I'm happy to submit a PR for this feature/capability and looking forward to diving into the syft src!
@rigzba21 rigzba21 added the enhancement New feature or request label Mar 31, 2022
@rigzba21 rigzba21 mentioned this issue Mar 31, 2022
Open
6 tasks
@rigzba21
Copy link
Author

rigzba21 commented Apr 2, 2022

I'll be opening a Draft PR when I have more done in my syft fork for conda support

@spiffcs
Copy link
Contributor

spiffcs commented Apr 4, 2022
edited
Loading

Thanks @rigzba21 for the attention here!

Admittedly I don't have a lot of experience with the Conda ecosystem, but I'm excited to see the PR and learn more about the different constructs a cataloger might have to interact with to provide support.

Feel free to tag the tools team on the PR and we can help with getting the builds kicked off for CI. I've also tentatively added this as a topic to our next community meeting on April 14th so we have a forum to talk more about it as the feature is developed.

Link to the community meeting where we discuss new ideas/features for syft/grype:
https://anchorecommunity.slack.com/archives/C4PJFNEEM/p1648734651797149

@westonsteimel
Copy link
Contributor

westonsteimel commented Apr 4, 2022
edited
Loading

Yep, thanks @rigzba21, I had thought a bit about trying this before but never got around to it. One thing that will be interesting here is syft already identifies packages installed by conda as pip packages because they end up with the same METADATA entries per https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/python/parse_wheel_egg_metadata.go. There is extra json for conda installed stuff that isn't taken into account though. Anyways, ths one will definitely be interesting and a great addition I think!

@rigzba21
Copy link
Author

rigzba21 commented Apr 4, 2022

@spiffcs, I've joined the Slack channel and added the community meeting to my calendar. @westonsteimel, thank you for pointing me to a good starting point!

@rigzba21 rigzba21 mentioned this issue Apr 6, 2022
Closed
@spiffcs spiffcs self-assigned this Apr 27, 2022
@spiffcs spiffcs added this to OSS Apr 27, 2022
@spiffcs spiffcs moved this to In Progress in OSS Apr 27, 2022
@spiffcs spiffcs linked a pull request Apr 28, 2022 that will close this issue
WIP/Draft-PR: Conda ecosystem support #938
Closed
@rigzba21
Copy link
Author

rigzba21 commented May 5, 2022

Closing my old draft PR which attempted to add a separate conda cataloger, in favor of the smaller-scoped work of extending the python cataloger as discussed in the last community meeting notes

Conda Support

  • extend the python cataloger to include conda-meta/*.json files

@spiffcs spiffcs moved this from In Progress (Actively Resolving) to Triage (Comments or Progress Made) in OSS May 31, 2022
@ssthom
Copy link

ssthom commented Nov 1, 2022

Is Conda support still being looked at? In our images we have Syft only finding openssl that the base image had installed and not the one in the Conda custom environment

spark@1838268b8f44:/usr/src/app$ /customenv/bin/openssl version
OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
spark@1838268b8f44:/usr/src/app$ apt list openssl
Listing... Done
openssl/stable,stable-security,now 1.1.1n-0+deb11u3 amd64 [installed,automatic]
spark@1838268b8f44:/usr/src/app$

Syft only finds:

openssl                                                         1.1.1n-0+deb11u3                           deb

@rigzba21
Copy link
Author

rigzba21 commented Nov 1, 2022

Is Conda support still being looked at?

While I'd love to keep working on this (admittedly, I have not looked at this in a while), I don't currently have the time to focus on this.

@rigzba21
Copy link
Author

I'll have time to pick this back up again this quarter 😄.

@razzlestorm
Copy link

razzlestorm commented May 16, 2023
edited
Loading

I'd be interested in helping get this across the finish line, if another body would help. I should have some time coming up in early June that I can work on this, if this is still happening? Is there a list of specific things that still need to be fleshed out and finished?

@rigzba21
Copy link
Author

Hi @razzlestorm! When I started this a while ago, I was looking at potentially adding a new cataloger . I also see that this issue conveniently has a new label, "new-cataloger." 😄

I'd love to collaborate on this now that I have more free time.

@kzantow
Copy link
Contributor

kzantow commented May 17, 2023

FWIW -- it looks like there were some open questions from the April 14 community meeting: https://docs.google.com/document/d/1ZtSAa6fj2a6KRWviTn3WoJm09edvrNUp4Iz_dOjjyY8/edit#heading=h.3ybu7ev6q4bx

@spiffcs spiffcs removed their assignment May 23, 2023
@spiffcs
Copy link
Contributor

spiffcs commented May 23, 2023

@razzlestorm @rigzba21 Thanks for keeping this thread alive!

If you have cycles this summer for looking at this cataloger then absolutely we would love the help:

The document Keith linked should have our OSS meeting on it - we have one this Thursday if you want to come hang out and talk about the scope of what would be a good first pass. Otherwise happy to talk async on this thread to get the ball rolling =)

@razzlestorm
Copy link

razzlestorm commented May 23, 2023
edited
Loading

Definitely! I'll come hang out.

EDIT: Unfortunately, I won't be able to make this, sorry! Apparently a last-minute meeting has been scheduled that I need to attend and the only time slot is that time. I've marked these slots as already being booked but hey, what can you do? I'm happy to coordinate async after your meeting, and make the next one (it's already booked in my calendar and hopefully nobody will unbook it).

In general I've had a brief chance to look over things, and it does seem like it makes sense to extend the python cataloger rather than creating a new one just for .conda packages. I'll take a look at everything in a bit more in-depth over the long weekend here.

@wagoodman wagoodman added the good-first-issue Good for newcomers label Sep 25, 2023
@rigzba21
Copy link
Author

rigzba21 commented Nov 4, 2023

I am linking Contributing New Catalogers - A Guide for Hacktoberfest and Beyond. Thank you, @spiffcs, for the writeup! I have some time this Nov/Dec to pick back up and look at this again.

@wagoodman wagoodman removed the status in OSS Feb 7, 2024
@jrandall
Copy link

jrandall commented Aug 6, 2024

Closing my old draft PR which attempted to add a separate conda cataloger, in favor of the smaller-scoped work of extending the python cataloger as discussed in the last community meeting notes

Conda Support

  • extend the python cataloger to include conda-meta/*.json files

I'm new to this project, but I don't see why conda would be part of the python cataloger. Conda can be used for python packages, but it is really a user-space alternative to OS-level packaging and it is primarily useful because it can manage shared libraries and binaries alongside things like Python or R packages that depend on them.

@witchcraze
Copy link
Contributor

Recently, I got involved in Anaconda license topic, so I am checking it.
One big factor is if systems install/update packages from the official public repository or not.

So, if we can use Syft to get the list of packages managed by Conda and where they come from (like with conda list --show-channel-urls or conda list --explicit), it will be much easier to find who is causing the problem.

@wagoodman
Copy link
Contributor

Here's a list of open questions from the community meeting referenced above:

  1. Can it fit under the current python cataloger or should it be separate? A meta cataloger that composes features from language specific catalogers. (Python, R, Ruby, Lua, Scala, Java, JavaScript, C/ C++, FORTRAN)
  2. Should there be Conda-specific package metadata (is this per language cataloger)?
  3. Are direct and transitive already identified through current pip identification or does conda do this another (better?) way?
    Identification of channels? (see https://docs.conda.io/projects/conda-build/en/latest/concepts/generating-index.html)
  4. Are there external references still to download typically? or can a conda cataloger be exclusively use installed artifacts and remain offline?
  5. Inclusion of tarball specific data (can this vary from machine to machine). If someone has brought their own package with updated non cannon metadata (numpy ⇒ numnum), but the digest for that code matches some known package can/should we link those in some way?
  6. How does grype do the vulnerability matching against a “conda” specific ecosystem?
  7. What are all of the ways to install conda itself. It seems to be a self extracting bundle bash script to get all base conda environment. (https://github.com/conda-forge/miniforge)

Here are some answers from Jonathan Velando from that same doc:

  • for 2) For a given conda package installed in a conda environment, each package contains a JSON file that includes all dependencies, symbolic links, dynamic libs, etc. Pretty much everything that a syft cataloger would need.
  • for 3) At the moment, syft does identify conda packages that are python+pip and npm-based packages. It does not however identify C++ or other based packages that may have been brought in as transitive dependencies, nor does it identify any dynamic libraries or shared objects that ship with certain conda packages.

For folks looking for an artifact to use for a basis for exploration: syft nvcr.io/nvidia/pytorch@sha256:2feee29307507dc51e1c0f10447ac897483682a747692c1c4d02cad52f59ab75 -o jso=/tmp/nvidia.syft.json

I can confirm that conda list is a 1:1 match with what's in /opt/conda/conda-meta:

$ ls -1 /opt/conda/conda-meta/
_libgcc_mutex-0.1-conda_forge.json
_openmp_mutex-4.5-1_llvm.json
backcall-0.2.0-pyh9f0ad1d_0.json
backports-1.0-py_2.json
backports.functools_lru_cache-1.6.4-pyhd8ed1ab_0.json
beautifulsoup4-4.9.3-pyhb0f4dca_0.json
brotlipy-0.7.0-py38h497a2fe_1001.json
bzip2-1.0.8-h7f98852_4.json
c-ares-1.17.2-h7f98852_0.json
ca-certificates-2021.5.30-ha878542_0.json
catalogue-2.0.4-py38h578d9bd_0.json
certifi-2021.5.30-py38h578d9bd_0.json
...

And there is some pretty rich info present:

Example JSON from /opt/conda/conda-meta/psutil-5.8.0-py38h497a2fe_1.json 
{
  "build": "py38h497a2fe_1",
  "build_number": 1,
  "channel": "https://conda.anaconda.org/conda-forge/linux-64",
  "constrains": [],
  "depends": [
    "libgcc-ng >=9.3.0",
    "python >=3.8,<3.9.0a0",
    "python_abi 3.8.* *_cp38"
  ],
  "extracted_package_dir": "/opt/conda/pkgs/psutil-5.8.0-py38h497a2fe_1",
  "features": "",
  "files": [
    "lib/python3.8/site-packages/psutil-5.8.0.dist-info/INSTALLER",
    "lib/python3.8/site-packages/psutil-5.8.0.dist-info/LICENSE",
    "lib/python3.8/site-packages/psutil-5.8.0.dist-info/METADATA",
    "lib/python3.8/site-packages/psutil-5.8.0.dist-info/RECORD",
    "lib/python3.8/site-packages/psutil-5.8.0.dist-info/REQUESTED",
    "lib/python3.8/site-packages/psutil-5.8.0.dist-info/WHEEL",
    "lib/python3.8/site-packages/psutil-5.8.0.dist-info/direct_url.json",
    "lib/python3.8/site-packages/psutil-5.8.0.dist-info/top_level.txt",
    "lib/python3.8/site-packages/psutil/__init__.py",
    "lib/python3.8/site-packages/psutil/__pycache__/__init__.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/__pycache__/_common.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/__pycache__/_compat.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/__pycache__/_psaix.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/__pycache__/_psbsd.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/__pycache__/_pslinux.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/__pycache__/_psosx.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/__pycache__/_psposix.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/__pycache__/_pssunos.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/__pycache__/_pswindows.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/_common.py",
    "lib/python3.8/site-packages/psutil/_compat.py",
    "lib/python3.8/site-packages/psutil/_psaix.py",
    "lib/python3.8/site-packages/psutil/_psbsd.py",
    "lib/python3.8/site-packages/psutil/_pslinux.py",
    "lib/python3.8/site-packages/psutil/_psosx.py",
    "lib/python3.8/site-packages/psutil/_psposix.py",
    "lib/python3.8/site-packages/psutil/_pssunos.py",
    "lib/python3.8/site-packages/psutil/_psutil_linux.cpython-38-x86_64-linux-gnu.so",
    "lib/python3.8/site-packages/psutil/_psutil_posix.cpython-38-x86_64-linux-gnu.so",
    "lib/python3.8/site-packages/psutil/_pswindows.py",
    "lib/python3.8/site-packages/psutil/tests/__init__.py",
    "lib/python3.8/site-packages/psutil/tests/__main__.py",
    "lib/python3.8/site-packages/psutil/tests/__pycache__/__init__.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/tests/__pycache__/__main__.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/tests/__pycache__/runner.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/tests/__pycache__/test_aix.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/tests/__pycache__/test_bsd.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/tests/__pycache__/test_connections.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/tests/__pycache__/test_contracts.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/tests/__pycache__/test_linux.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/tests/__pycache__/test_memleaks.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/tests/__pycache__/test_misc.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/tests/__pycache__/test_osx.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/tests/__pycache__/test_posix.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/tests/__pycache__/test_process.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/tests/__pycache__/test_sunos.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/tests/__pycache__/test_system.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/tests/__pycache__/test_testutils.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/tests/__pycache__/test_unicode.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/tests/__pycache__/test_windows.cpython-38.pyc",
    "lib/python3.8/site-packages/psutil/tests/runner.py",
    "lib/python3.8/site-packages/psutil/tests/test_aix.py",
    "lib/python3.8/site-packages/psutil/tests/test_bsd.py",
    "lib/python3.8/site-packages/psutil/tests/test_connections.py",
    "lib/python3.8/site-packages/psutil/tests/test_contracts.py",
    "lib/python3.8/site-packages/psutil/tests/test_linux.py",
    "lib/python3.8/site-packages/psutil/tests/test_memleaks.py",
    "lib/python3.8/site-packages/psutil/tests/test_misc.py",
    "lib/python3.8/site-packages/psutil/tests/test_osx.py",
    "lib/python3.8/site-packages/psutil/tests/test_posix.py",
    "lib/python3.8/site-packages/psutil/tests/test_process.py",
    "lib/python3.8/site-packages/psutil/tests/test_sunos.py",
    "lib/python3.8/site-packages/psutil/tests/test_system.py",
    "lib/python3.8/site-packages/psutil/tests/test_testutils.py",
    "lib/python3.8/site-packages/psutil/tests/test_unicode.py",
    "lib/python3.8/site-packages/psutil/tests/test_windows.py"
  ],
  "fn": "psutil-5.8.0-py38h497a2fe_1.tar.bz2",
  "license": "BSD-3-Clause",
  "license_family": "BSD",
  "link": {
    "source": "/opt/conda/pkgs/psutil-5.8.0-py38h497a2fe_1",
    "type": 1
  },
  "md5": "3c465545aa3cec37f8f1341546677956",
  "name": "psutil",
  "package_tarball_full_path": "/opt/conda/pkgs/psutil-5.8.0-py38h497a2fe_1.tar.bz2",
  "paths_data": {
    "paths": [
      {
        "_path": "lib/python3.8/site-packages/psutil-5.8.0.dist-info/INSTALLER",
        "path_type": "hardlink",
        "sha256": "d0edee15f91b406f3f99726e44eb990be6e34fd0345b52b910c568e0eef6a2a8",
        "sha256_in_prefix": "d0edee15f91b406f3f99726e44eb990be6e34fd0345b52b910c568e0eef6a2a8",
        "size_in_bytes": 5
      },
      {
        "_path": "lib/python3.8/site-packages/psutil-5.8.0.dist-info/LICENSE",
        "path_type": "hardlink",
        "sha256": "24c12984500caa07ffdce19eebc06396c5e6d244b573bc6c438f4a6ef8e56c1b",
        "sha256_in_prefix": "24c12984500caa07ffdce19eebc06396c5e6d244b573bc6c438f4a6ef8e56c1b",
        "size_in_bytes": 1549
      },
      {
        "_path": "lib/python3.8/site-packages/psutil-5.8.0.dist-info/METADATA",
        "path_type": "hardlink",
        "sha256": "069863fda59a3742371c9f60ad268b0b04c760a595c7d1a1de557d590bf205e6",
        "sha256_in_prefix": "069863fda59a3742371c9f60ad268b0b04c760a595c7d1a1de557d590bf205e6",
        "size_in_bytes": 22626
      },
      {
        "_path": "lib/python3.8/site-packages/psutil-5.8.0.dist-info/RECORD",
        "path_type": "hardlink",
        "sha256": "317dd0df84ed17cdb9aca6c8524aa968e4c175962d357f3f2920a68a380895ef",
        "sha256_in_prefix": "317dd0df84ed17cdb9aca6c8524aa968e4c175962d357f3f2920a68a380895ef",
        "size_in_bytes": 4608
      },
      {
        "_path": "lib/python3.8/site-packages/psutil-5.8.0.dist-info/REQUESTED",
        "path_type": "hardlink",
        "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
        "sha256_in_prefix": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
        "size_in_bytes": 0
      },
      {
        "_path": "lib/python3.8/site-packages/psutil-5.8.0.dist-info/WHEEL",
        "path_type": "hardlink",
        "sha256": "873c76fb7f6359fc7e368e413c69bb60debad6bc91601b8b3fc81975bc43a3c2",
        "sha256_in_prefix": "873c76fb7f6359fc7e368e413c69bb60debad6bc91601b8b3fc81975bc43a3c2",
        "size_in_bytes": 103
      },
      {
        "_path": "lib/python3.8/site-packages/psutil-5.8.0.dist-info/direct_url.json",
        "path_type": "hardlink",
        "sha256": "1a82a939c5d3de92e3e6a8818c9515cc7e0019c04747c8e160dfbcd129082739",
        "sha256_in_prefix": "1a82a939c5d3de92e3e6a8818c9515cc7e0019c04747c8e160dfbcd129082739",
        "size_in_bytes": 102
      },
      {
        "_path": "lib/python3.8/site-packages/psutil-5.8.0.dist-info/top_level.txt",
        "path_type": "hardlink",
        "sha256": "8023619f9ef0ce4b038d20084a680c2746a25f342e964d062616f6f81032620c",
        "sha256_in_prefix": "8023619f9ef0ce4b038d20084a680c2746a25f342e964d062616f6f81032620c",
        "size_in_bytes": 7
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/__init__.py",
        "path_type": "hardlink",
        "sha256": "9018329d8ceec4d5ea155a4235d4ebd11a92991f93a9c1eb68379d076c9c3da9",
        "sha256_in_prefix": "9018329d8ceec4d5ea155a4235d4ebd11a92991f93a9c1eb68379d076c9c3da9",
        "size_in_bytes": 86749
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/__pycache__/__init__.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "8af11d52c4697315071b27c9b488be828bfd4e1e856696ac3c969782c5878d14",
        "sha256_in_prefix": "8af11d52c4697315071b27c9b488be828bfd4e1e856696ac3c969782c5878d14",
        "size_in_bytes": 63718
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/__pycache__/_common.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "f1a438b8d19897e950b6fdfd683393a6a7dab96def1c56ca4dd6811ab80ec708",
        "sha256_in_prefix": "f1a438b8d19897e950b6fdfd683393a6a7dab96def1c56ca4dd6811ab80ec708",
        "size_in_bytes": 20920
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/__pycache__/_compat.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "f1ea2f40336ce02051d983ce4a7e32d6bebf7b39b8be1ce4850226119310b2d7",
        "sha256_in_prefix": "f1ea2f40336ce02051d983ce4a7e32d6bebf7b39b8be1ce4850226119310b2d7",
        "size_in_bytes": 11341
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/__pycache__/_psaix.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "00d7f7fcfe348bb1b62c6f8ceb73245fe943b6db57ab19164f470ed83c233c14",
        "sha256_in_prefix": "00d7f7fcfe348bb1b62c6f8ceb73245fe943b6db57ab19164f470ed83c233c14",
        "size_in_bytes": 15261
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/__pycache__/_psbsd.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "0b2a3f21034f71838bd9ae19f4684eb20e94155a60f071e26546b89b7bb54860",
        "sha256_in_prefix": "0b2a3f21034f71838bd9ae19f4684eb20e94155a60f071e26546b89b7bb54860",
        "size_in_bytes": 21002
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/__pycache__/_pslinux.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "72b3683e14f542a904c35a2d962d235aa4911374b36c687948859b324c80b657",
        "sha256_in_prefix": "72b3683e14f542a904c35a2d962d235aa4911374b36c687948859b324c80b657",
        "size_in_bytes": 49711
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/__pycache__/_psosx.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "0c05561f0a79b4847e8163416518bcd6fc2f2de06891bc23354b2d03e64463c3",
        "sha256_in_prefix": "0c05561f0a79b4847e8163416518bcd6fc2f2de06891bc23354b2d03e64463c3",
        "size_in_bytes": 14818
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/__pycache__/_psposix.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "9600d34b1de26f4431f3a7714be6b86471d2c609ecddea138581de7ed93139b8",
        "sha256_in_prefix": "9600d34b1de26f4431f3a7714be6b86471d2c609ecddea138581de7ed93139b8",
        "size_in_bytes": 4516
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/__pycache__/_pssunos.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "6e91e8f097c0c1049a2a4abc68c6d1e0e6c33fea4fb32df8cad051c51755c32e",
        "sha256_in_prefix": "6e91e8f097c0c1049a2a4abc68c6d1e0e6c33fea4fb32df8cad051c51755c32e",
        "size_in_bytes": 18400
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/__pycache__/_pswindows.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "ef6402f873575fb081b740deea27045f1a4c0cb7e5b39fd448c6a69d41b2e7dc",
        "sha256_in_prefix": "ef6402f873575fb081b740deea27045f1a4c0cb7e5b39fd448c6a69d41b2e7dc",
        "size_in_bytes": 29094
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/_common.py",
        "path_type": "hardlink",
        "sha256": "21e8fdb9ad3f1f873e96098ac77c415831d13fe3dbe2ccd4f9035bf1c37a77c3",
        "sha256_in_prefix": "21e8fdb9ad3f1f873e96098ac77c415831d13fe3dbe2ccd4f9035bf1c37a77c3",
        "size_in_bytes": 26218
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/_compat.py",
        "path_type": "hardlink",
        "sha256": "c2219368b16a08d52b085bc57d15e9e18de09f9162ab32d41554c2a7a180ded6",
        "sha256_in_prefix": "c2219368b16a08d52b085bc57d15e9e18de09f9162ab32d41554c2a7a180ded6",
        "size_in_bytes": 14474
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/_psaix.py",
        "path_type": "hardlink",
        "sha256": "d2d630cac6d964e66c873879265ae6821ef26418fd98045d2a97c812d481d823",
        "sha256_in_prefix": "d2d630cac6d964e66c873879265ae6821ef26418fd98045d2a97c812d481d823",
        "size_in_bytes": 18555
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/_psbsd.py",
        "path_type": "hardlink",
        "sha256": "c1c89694b44d51fba452395df313bee8ca4ee43d2afb75b11506de0bd38a9a5c",
        "sha256_in_prefix": "c1c89694b44d51fba452395df313bee8ca4ee43d2afb75b11506de0bd38a9a5c",
        "size_in_bytes": 31069
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/_pslinux.py",
        "path_type": "hardlink",
        "sha256": "e587d4fb39ac70b76ac6b9b8f35ab7fcf172ad8f33d224274478db2e66349c9d",
        "sha256_in_prefix": "e587d4fb39ac70b76ac6b9b8f35ab7fcf172ad8f33d224274478db2e66349c9d",
        "size_in_bytes": 82101
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/_psosx.py",
        "path_type": "hardlink",
        "sha256": "48b53361acd05ce748274c998e6f94aa50c5fa1247cbcc9a0d1e2c9630de3027",
        "sha256_in_prefix": "48b53361acd05ce748274c998e6f94aa50c5fa1247cbcc9a0d1e2c9630de3027",
        "size_in_bytes": 17494
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/_psposix.py",
        "path_type": "hardlink",
        "sha256": "21c5c94dd53aa2c4c9c23076b83a2108b9ee18f9790464180fabc3834b0e27c7",
        "sha256_in_prefix": "21c5c94dd53aa2c4c9c23076b83a2108b9ee18f9790464180fabc3834b0e27c7",
        "size_in_bytes": 8045
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/_pssunos.py",
        "path_type": "hardlink",
        "sha256": "bb7c158529c12ed405b427e1343d6bc43d8a1d6078cca68d22999e086e73e4c7",
        "sha256_in_prefix": "bb7c158529c12ed405b427e1343d6bc43d8a1d6078cca68d22999e086e73e4c7",
        "size_in_bytes": 25495
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/_psutil_linux.cpython-38-x86_64-linux-gnu.so",
        "path_type": "hardlink",
        "sha256": "5c512a8dd58f4b47975f98ede4c24eac227d5ee07b3b184393acae3c7ca795b9",
        "sha256_in_prefix": "5c512a8dd58f4b47975f98ede4c24eac227d5ee07b3b184393acae3c7ca795b9",
        "size_in_bytes": 37552
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/_psutil_posix.cpython-38-x86_64-linux-gnu.so",
        "path_type": "hardlink",
        "sha256": "06c5290a6b906ec73136082ae679bb38ec123d91d86f451924aad6dfb204f621",
        "sha256_in_prefix": "06c5290a6b906ec73136082ae679bb38ec123d91d86f451924aad6dfb204f621",
        "size_in_bytes": 27208
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/_pswindows.py",
        "path_type": "hardlink",
        "sha256": "2727df1f1d0f991258fb81672f479ebcf766ae707b77de80b95ea64ef51abcf7",
        "sha256_in_prefix": "2727df1f1d0f991258fb81672f479ebcf766ae707b77de80b95ea64ef51abcf7",
        "size_in_bytes": 36841
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/__init__.py",
        "path_type": "hardlink",
        "sha256": "e9214aff381afea52724e9ca17a00859ab0a18863077a5d7a978372b12625f56",
        "sha256_in_prefix": "e9214aff381afea52724e9ca17a00859ab0a18863077a5d7a978372b12625f56",
        "size_in_bytes": 57568
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/__main__.py",
        "path_type": "hardlink",
        "sha256": "6c17cc3eefe03f3ca203881f0054992e4ecbc8b48f4d4207405535905723fce9",
        "sha256_in_prefix": "6c17cc3eefe03f3ca203881f0054992e4ecbc8b48f4d4207405535905723fce9",
        "size_in_bytes": 291
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/__pycache__/__init__.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "549a85ed172a90f7ecf0d5a4ae24832a01c67a23e0a83e4add67023ba390a472",
        "sha256_in_prefix": "549a85ed172a90f7ecf0d5a4ae24832a01c67a23e0a83e4add67023ba390a472",
        "size_in_bytes": 47531
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/__pycache__/__main__.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "8e7ff93d4958cb13ec506aa25e4626f0377b57a26a3dd15990795020e52fc082",
        "sha256_in_prefix": "8e7ff93d4958cb13ec506aa25e4626f0377b57a26a3dd15990795020e52fc082",
        "size_in_bytes": 265
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/__pycache__/runner.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "eda941e57106b36c69240e5166d37d313c9f35a67fb55b983359a22ee58025ee",
        "sha256_in_prefix": "eda941e57106b36c69240e5166d37d313c9f35a67fb55b983359a22ee58025ee",
        "size_in_bytes": 11084
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/__pycache__/test_aix.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "1cc85a28e0f23733dd9fe7dfed20994200bf4190fb6f10a2bf84300889d72704",
        "sha256_in_prefix": "1cc85a28e0f23733dd9fe7dfed20994200bf4190fb6f10a2bf84300889d72704",
        "size_in_bytes": 3362
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/__pycache__/test_bsd.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "bed63efb07cfa6503ec910fdaa36819ac31f8a80ff58c6800e36b7c12bd2952a",
        "sha256_in_prefix": "bed63efb07cfa6503ec910fdaa36819ac31f8a80ff58c6800e36b7c12bd2952a",
        "size_in_bytes": 19980
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/__pycache__/test_connections.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "7414392d7d7b45ac247c0cd49d8cdae1ee80b7628e8d8fc02611e0ad6dcd16f2",
        "sha256_in_prefix": "7414392d7d7b45ac247c0cd49d8cdae1ee80b7628e8d8fc02611e0ad6dcd16f2",
        "size_in_bytes": 15783
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/__pycache__/test_contracts.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "2d144d31d4d0a9c0f8a12564cec3d9bca22da9b8454cdd2035565f3d272e066b",
        "sha256_in_prefix": "2d144d31d4d0a9c0f8a12564cec3d9bca22da9b8454cdd2035565f3d272e066b",
        "size_in_bytes": 26232
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/__pycache__/test_linux.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "cfa2befa1d1707e44a81083f809fb493a84592124670b4e72a854d01c8331503",
        "sha256_in_prefix": "cfa2befa1d1707e44a81083f809fb493a84592124670b4e72a854d01c8331503",
        "size_in_bytes": 70296
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/__pycache__/test_memleaks.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "aeea5209b19ec99218492592bffc1d50320c55f72b58c8593a3d1ae71c84b27a",
        "sha256_in_prefix": "aeea5209b19ec99218492592bffc1d50320c55f72b58c8593a3d1ae71c84b27a",
        "size_in_bytes": 23109
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/__pycache__/test_misc.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "d80ec22f90911aa709528bcf3f4b991731927339523d9c69eb2531041d5fb803",
        "sha256_in_prefix": "d80ec22f90911aa709528bcf3f4b991731927339523d9c69eb2531041d5fb803",
        "size_in_bytes": 23452
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/__pycache__/test_osx.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "6993f11f4ad41ce1ae9d936986626381a9aadcd23b38baf118344e6d69460087",
        "sha256_in_prefix": "6993f11f4ad41ce1ae9d936986626381a9aadcd23b38baf118344e6d69460087",
        "size_in_bytes": 7249
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/__pycache__/test_posix.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "4e21548d44ca41e29f83d6ad8f767b8206f91d4589588a1d7bc17a0e83fe9744",
        "sha256_in_prefix": "4e21548d44ca41e29f83d6ad8f767b8206f91d4589588a1d7bc17a0e83fe9744",
        "size_in_bytes": 12742
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/__pycache__/test_process.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "24e565fc7fe33ca94a73ef3037a43a6c8aab2931b6b05fda3b569c9b6655f0bb",
        "sha256_in_prefix": "24e565fc7fe33ca94a73ef3037a43a6c8aab2931b6b05fda3b569c9b6655f0bb",
        "size_in_bytes": 47619
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/__pycache__/test_sunos.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "6468cd14d537b8d2290463327d861648cde77f55d224ef42228c377f4ebeeb2b",
        "sha256_in_prefix": "6468cd14d537b8d2290463327d861648cde77f55d224ef42228c377f4ebeeb2b",
        "size_in_bytes": 1513
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/__pycache__/test_system.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "e6fb46566c8f8578e7035ddc11a5aa686728c9536e2d2f5372dd18614ee61c78",
        "sha256_in_prefix": "e6fb46566c8f8578e7035ddc11a5aa686728c9536e2d2f5372dd18614ee61c78",
        "size_in_bytes": 27549
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/__pycache__/test_testutils.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "f77422930e3d8c14d616b3ca3c9d0dc7c5d3933410ba6900ff62ce9b07d59169",
        "sha256_in_prefix": "f77422930e3d8c14d616b3ca3c9d0dc7c5d3933410ba6900ff62ce9b07d59169",
        "size_in_bytes": 16645
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/__pycache__/test_unicode.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "75c84fa8c385c1ade3274b4a6aded55f03f12849d239146aeba97b671c0add45",
        "sha256_in_prefix": "75c84fa8c385c1ade3274b4a6aded55f03f12849d239146aeba97b671c0add45",
        "size_in_bytes": 11108
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/__pycache__/test_windows.cpython-38.pyc",
        "path_type": "hardlink",
        "sha256": "e10f9c7f93c8d6f64fb60d9461eb9345584a5c620d425abbe981c81af1fc9ed9",
        "sha256_in_prefix": "e10f9c7f93c8d6f64fb60d9461eb9345584a5c620d425abbe981c81af1fc9ed9",
        "size_in_bytes": 28647
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/runner.py",
        "path_type": "hardlink",
        "sha256": "6968819f332e1f8d9d1807a87d1b8e8260cf732288f58af4bb53c8e072c33ce1",
        "sha256_in_prefix": "6968819f332e1f8d9d1807a87d1b8e8260cf732288f58af4bb53c8e072c33ce1",
        "size_in_bytes": 11332
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/test_aix.py",
        "path_type": "hardlink",
        "sha256": "afbf0f05accc7656a08a9ded9d6759212e87c503538ab13d73c196a8f91c293c",
        "sha256_in_prefix": "afbf0f05accc7656a08a9ded9d6759212e87c503538ab13d73c196a8f91c293c",
        "size_in_bytes": 4526
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/test_bsd.py",
        "path_type": "hardlink",
        "sha256": "ded4c55489265d91641f2685c9db26247ffe96c0049351ee0008b7f8b8011893",
        "sha256_in_prefix": "ded4c55489265d91641f2685c9db26247ffe96c0049351ee0008b7f8b8011893",
        "size_in_bytes": 20695
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/test_connections.py",
        "path_type": "hardlink",
        "sha256": "fb8a63c6d2465a86e389d58492e105212ed21c0e5e5ef11cae3d8c1b9d45a9bf",
        "sha256_in_prefix": "fb8a63c6d2465a86e389d58492e105212ed21c0e5e5ef11cae3d8c1b9d45a9bf",
        "size_in_bytes": 21434
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/test_contracts.py",
        "path_type": "hardlink",
        "sha256": "203e7f2bf1b09502d8259765dc16d9715f99727a6dc257cdc78da633b6b9f0a9",
        "sha256_in_prefix": "203e7f2bf1b09502d8259765dc16d9715f99727a6dc257cdc78da633b6b9f0a9",
        "size_in_bytes": 27097
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/test_linux.py",
        "path_type": "hardlink",
        "sha256": "8c488f0f98120ab52214ebdabbeb119dc3cedd2b5eb68225c4f25c6336ab4dab",
        "sha256_in_prefix": "8c488f0f98120ab52214ebdabbeb119dc3cedd2b5eb68225c4f25c6336ab4dab",
        "size_in_bytes": 89802
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/test_memleaks.py",
        "path_type": "hardlink",
        "sha256": "b433f8a683d0782757703e436b2434b8b6fbd58cbf6e4d1094860d74197e7a6b",
        "sha256_in_prefix": "b433f8a683d0782757703e436b2434b8b6fbd58cbf6e4d1094860d74197e7a6b",
        "size_in_bytes": 14796
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/test_misc.py",
        "path_type": "hardlink",
        "sha256": "2b207fff97cff0bc2de7b662ae91645ad3dade9b17f52e43f73250211d9d165f",
        "sha256_in_prefix": "2b207fff97cff0bc2de7b662ae91645ad3dade9b17f52e43f73250211d9d165f",
        "size_in_bytes": 28584
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/test_osx.py",
        "path_type": "hardlink",
        "sha256": "3c041fe3d1d488df27d032a651609709a115fb6876d26d637ae2d7f39a71b20f",
        "sha256_in_prefix": "3c041fe3d1d488df27d032a651609709a115fb6876d26d637ae2d7f39a71b20f",
        "size_in_bytes": 7550
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/test_posix.py",
        "path_type": "hardlink",
        "sha256": "a8dd16debefad05e5ce9d1854d8295b323631b5eb05ff7e956cda4d4af02a921",
        "sha256_in_prefix": "a8dd16debefad05e5ce9d1854d8295b323631b5eb05ff7e956cda4d4af02a921",
        "size_in_bytes": 15143
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/test_process.py",
        "path_type": "hardlink",
        "sha256": "6c2702a9f736271288f4fbee5bb9a9158e7df6bc683192b39310d14fe3a6b349",
        "sha256_in_prefix": "6c2702a9f736271288f4fbee5bb9a9158e7df6bc683192b39310d14fe3a6b349",
        "size_in_bytes": 59703
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/test_sunos.py",
        "path_type": "hardlink",
        "sha256": "b68b01ebee1ba0ce9994855a789661e986c163c8151919b46085e06ff67af465",
        "sha256_in_prefix": "b68b01ebee1ba0ce9994855a789661e986c163c8151919b46085e06ff67af465",
        "size_in_bytes": 1351
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/test_system.py",
        "path_type": "hardlink",
        "sha256": "753d2fdd7e19665d513b4011614fc092f340cec1addb5088210f7efd5bdb41ae",
        "sha256_in_prefix": "753d2fdd7e19665d513b4011614fc092f340cec1addb5088210f7efd5bdb41ae",
        "size_in_bytes": 35596
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/test_testutils.py",
        "path_type": "hardlink",
        "sha256": "03d9e77a1dbd67dacdef03387a4060e107572f97620f8982508d54c3a0798de7",
        "sha256_in_prefix": "03d9e77a1dbd67dacdef03387a4060e107572f97620f8982508d54c3a0798de7",
        "size_in_bytes": 14420
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/test_unicode.py",
        "path_type": "hardlink",
        "sha256": "70fc32d98516f1757453da08b0c0811614b648cbb986d7450f70d38a6991b627",
        "sha256_in_prefix": "70fc32d98516f1757453da08b0c0811614b648cbb986d7450f70d38a6991b627",
        "size_in_bytes": 12459
      },
      {
        "_path": "lib/python3.8/site-packages/psutil/tests/test_windows.py",
        "path_type": "hardlink",
        "sha256": "7641246c5114688d8be6cc85b5ef6fa24e369ffaff0ec4e36c5bba219e92cef4",
        "sha256_in_prefix": "7641246c5114688d8be6cc85b5ef6fa24e369ffaff0ec4e36c5bba219e92cef4",
        "size_in_bytes": 32589
      }
    ],
    "paths_version": 1
  },
  "requested_spec": "None",
  "sha256": "7ac30046988743b471c58f645c5ae06794d355d4315729d9628f3d8acbb0d512",
  "size": 349949,
  "subdir": "linux-64",
  "timestamp": 1610127222797,
  "track_features": "",
  "url": "https://conda.anaconda.org/conda-forge/linux-64/psutil-5.8.0-py38h497a2fe_1.tar.bz2",
  "version": "5.8.0"
}

I think this heavily hints at:

  • there should be a conda-specific cataloger
  • packages raised up should have conda-specific package metadata
  • since not all packages are python we should consider making a new package type (or use existing ones but understand what to do with ecosystems that aren't covered by a package type today). This probably needs discussion
  • there will be changes downstream in grype to handle matching for these cases, but this should not block development in syft
  • open question: what should we do when it comes to deduplicating these packages with any file-ownership overlap we find? I think we should prefer the conda package information since it would be more detailed, but again, this should probably be open for discussion.

@spiffcs spiffcs mentioned this issue Oct 31, 2024
Open
@wagoodman
Copy link
Contributor

From the live stream: we want to not affect existing grype matches today. Let's let syft find both overlapping python and conda packages and mark the ownership-overlap relationship between them. When we start supporting matching for conda explicitly in grype we can decide to dedup matching at that point.

@wagoodman wagoodman moved this to Ready in OSS Oct 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good-first-issue Good for newcomers new-cataloger
Projects
OSS
Status: Ready
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

WIP/Draft-PR: Conda ecosystem support rigzba21/syft
10 participants
@jrandall @wagoodman @westonsteimel @kzantow @willmurphyscode @ssthom @rigzba21 @razzlestorm @spiffcs @witchcraze