Conda¶
Trivy supports the following scanners for Conda packages.
| Scanner | Supported |
|---|---|
| SBOM | ✓ |
| Vulnerability | - |
| License | ✓ |
| Package manager | File | Transitive dependencies | Dev dependencies | Dependency graph | Position | Detection Priority |
|---|---|---|---|---|---|---|
| Conda | environment.yml | - | Include | - | ✓ | - |
<package>.json¶
SBOM¶
Trivy parses <conda-root>/envs/<env>/conda-meta/<package>.json files to find the dependencies installed in your env.
License¶
The <package>.json files contain package license information.
Trivy includes licenses for the packages it finds without having to parse additional files.
environment.yml1¶
SBOM¶
Trivy supports parsing environment.yml1 files to find dependency list.
environment.yml1 files supports version range. We can't be sure about versions for these dependencies.
Therefore, you need to use conda env export command to get dependency list in Conda default format before scanning environment.yml1 file.
Note
For dependencies in a non-Conda format, Trivy doesn't include a version of them.
License¶
Trivy parses conda-meta/<package>.json files at the prefix path.
To correctly define licenses, make sure your environment.yml1 contains prefix field and prefix directory contains package.json files.
Note
To get correct environment.yml1 file and fill prefix directory - use conda env export command.