Conda Application Analysis
The Conda coordinate-based matching feature provides the ability to scan and evaluate dependencies for any language (Python, Java, JavaScript, C++) found in the conda.txt file.
What is supported
Files named conda.txt will be analyzed. Only exact requirements i.e. without wildcards will be considered.
environment.yml file containing packages from conda-forge can be analyzed. Follow the steps to analyze the environment.yml file, before invoking an IQ CLI scan.
Steps to analyze conda.txt
Create file conda.txt
conda list --explicit -e > conda.txt
Example conda.txt file
# This file may be used to create an environment using: # $ conda create --name <env> --file <this file> # platform: linux-64 @EXPLICIT https://repo.anaconda.com/pkgs/main/linux-64/asn1crypto-0.24.0-py37_0.conda https://repo.anaconda.com/pkgs/main/linux-64/ca-certificates-2019.1.23-0.conda https://repo.anaconda.com/pkgs/main/linux-64/certifi-2019.3.9-py37_0.conda https://repo.anaconda.com/pkgs/main/linux-64/cryptography-2.4.2-py37h1ba5d50_0.conda https://repo.anaconda.com/pkgs/main/linux-64/libedit-3.1.20181209-hc058e9b_0.conda https://repo.anaconda.com/pkgs/main/linux-64/openssl-1.1.1b-h7b6447c_1.conda
Note
The conda.txt encoding is UTF-8. Special note for Microsoft Windows users, the cmd.exe encoding may need to be changed to UTF-8. Please refer to Microsoft documentation on how to do this.
Run the conda list command with the flags --explicit and -e (export).
Invoke a Sonatype IQ scan of a directory or sub-directories containing conda.txt.
Steps to Analyze environment.yml
Create a conda environment using the environment.yml file to define the environment’s specifications.
conda env create -f environment.yml
The environment.yml file typically includes
-conda-forge
under channels. Conda will now look for packages in the conda- forge channel.You can also specify exact or explicit versions of the packages to install in the environment, under dependencies, in the environment.yml file
Activate the conda environment using:
conda activate my_project
Export a list of all packages in the active environment and save it to a file to conda.txt:
conda list --explicit -e > conda.txt
Invoke a Sonatype IQ CLI scan of a directory or sub-directories containing conda.txt.
Scan using Sonatype IQ CLI
Invoke a Sonatype IQ CLI scan of a directory or subdirectories containing a conda.txt file. Instructions on how to do this can be found here: Sonatype IQ CLI.
Steps to analyze using the Jenkins plugin
By default, the Jenkins plugin will not evaluate the conda.txt file. A custom Scan Target is needed.
Example Pipeline Script with Scan Patterns
nexusPolicyEvaluation iqApplication: 'SampApp', iqScanPatterns: [[scanPattern: '**/conda.txt']], iqStage: 'build'
To find more information on how to configure Jenkins please go to Sonatype Platform Plugin for Jenkins
Steps to analyze using the Bamboo plugin
Bamboo Scan Targets control what files are examined. To evaluate Conda, add conda.txt to the scan targets via "**/conda.txt". To find more information on how to configure Bamboo please go to link before this Sonatype IQ for Bamboo.