feat: add support for Conda

Signed-off-by: Paul Horton <[email protected]>

Author: madpah

cyclonedx/parser/conda.py

@@ -0,0 +1,97 @@
+# encoding: utf-8
+
+# This file is part of CycloneDX Python Lib
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+import json
+from abc import abstractmethod
+from typing import List
+
+from . import BaseParser
+from ..model import ExternalReference, ExternalReferenceType
+from ..model.component import Component
+from ..utils.conda import parse_conda_json_to_conda_package, parse_conda_list_str_to_conda_package, CondaPackage
+
+
+class _BaseCondaParser(BaseParser):
+    """
+    Internal abstract parser - not for programatic use.
+
+    """
+    def __init__(self, conda_data: str):
+        super().__init__()
+        self._conda_packages: List[CondaPackage] = []
+        self._parse_to_conda_packages(data_str=conda_data)
+        self._conda_packages_to_components()
+
+    @abstractmethod
+    def _parse_to_conda_packages(self, data_str: str):
+        """
+        Abstract method for implementation by concrete Conda Parsers
+
+        Params:
+            data_str:
+                `str` data passed into the Parser
+
+        Returns:
+            A `list` of `CondaPackage` instances parsed.
+        """
+        pass
+
+    def _conda_packages_to_components(self):
+        """
+        Converts the parsed `CondaPackage` instances into `Component` instances.
+
+        """
+        for conda_package in self._conda_packages:
+            c = Component(
+                name=conda_package['name'], version=str(conda_package['version'])
+            )
+            c.add_external_reference(ExternalReference(
+                reference_type=ExternalReferenceType.DISTRIBUTION,
+                url=conda_package['base_url'],
+                comment=f"Distribution name {conda_package['dist_name']}"
+            ))
+
+            self._components.append(c)
+
+
+class CondaListJsonParser(_BaseCondaParser):
+    """
+    This parser is intended to receive the output from the command `conda list --json`.
+    """
+
+    def _parse_to_conda_packages(self, data_str: str):
+        conda_list_content = json.loads(data_str)
+
+        for package in conda_list_content:
+            conda_package = parse_conda_json_to_conda_package(conda_json_str=json.dumps(package))
+            if conda_package:
+                self._conda_packages.append(conda_package)
+
+
+class CondaListExplicitParser(_BaseCondaParser):
+    """
+    This parser is intended to receive the output from the command `conda list --explicit` or
+    `conda list --explicit --md5`.
+    """
+
+    def _parse_to_conda_packages(self, data_str: str):
+        for line in data_str.replace('\r\n', '\n').split('\n'):
+            line = line.strip()
+            conda_package = parse_conda_list_str_to_conda_package(conda_list_str=line)
+            if conda_package:
+                self._conda_packages.append(conda_package)

cyclonedx/utils/__init__.py

@@ -0,0 +1,116 @@
+# encoding: utf-8
+
+# This file is part of CycloneDX Python Lib
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+import json
+from json import JSONDecodeError
+
+from typing import TypedDict, Union
+from urllib.parse import urlparse
+
+
+class CondaPackage(TypedDict):
+    """
+    Internal package for unifying Conda package definitions to.
+    """
+    base_url: str
+    build_number: int
+    build_string: str
+    channel: str
+    dist_name: str
+    name: str
+    platform: str
+    version: str
+    md5_hash: str
+
+
+def parse_conda_json_to_conda_package(conda_json_str: str) -> Union[CondaPackage, None]:
+    try:
+        package_data = json.loads(conda_json_str)
+    except JSONDecodeError:
+        print(f'Failed to decode JSON: {conda_json_str}')
+        raise ValueError(f'Invalid JSON supplied - cannot be parsed: {conda_json_str}')
+
+    if 'md5_hash' not in package_data.keys():
+        package_data['md5_hash'] = None
+
+    if isinstance(package_data, dict):
+        return CondaPackage(**package_data)
+
+    return None
+
+
+def parse_conda_list_str_to_conda_package(conda_list_str: str) -> Union[CondaPackage, None]:
+    """
+    Helper method for parsing a line of output from `conda list --explicit` into our internal `CondaPackage` object.
+
+    Params:
+        conda_list_str:
+            Line of output from `conda list --explicit`
+
+    Returns:
+        Instance of `CondaPackage` else `None`.
+    """
+
+    line = conda_list_str.strip()
+
+    if line[0:1] == '#' or line[0:1] == '@' or len(line) == 0:
+        # Skip comments, @EXPLICT or empty lines
+        return None
+
+    # Remove any hash
+    package_hash: str = None
+    if '#' in line:
+        hash_parts = line.split('#')
+        if len(hash_parts) > 1:
+            package_hash = hash_parts.pop()
+            line = ''.join(hash_parts)
+
+    package_parts = line.split('/')
+    package_name_version_build_string = package_parts.pop()
+    package_arch = package_parts.pop()
+    package_url = urlparse('/'.join(package_parts))
+
+    try:
+        package_nvbs_parts = package_name_version_build_string.split('-')
+        build_number_with_opt_string = package_nvbs_parts.pop()
+        if '.' in build_number_with_opt_string:
+            # Remove any .conda at the end if present or other package type eg .tar.gz
+            pos = build_number_with_opt_string.find('.')
+            build_number_with_opt_string = build_number_with_opt_string[0:pos]
+
+        if '_' in build_number_with_opt_string:
+            bnbs_parts = build_number_with_opt_string.split('_')
+            if len(bnbs_parts) == 2:
+                build_number = int(bnbs_parts.pop())
+                build_string = build_number_with_opt_string
+            else:
+                raise ValueError(f'Unexpected build version string for Conda Package: {conda_list_str}')
+        else:
+            build_string = None
+            build_number = int(build_number_with_opt_string)
+
+        build_version = package_nvbs_parts.pop()
+        package_name = '-'.join(package_nvbs_parts)
+    except IndexError as e:
+        raise ValueError(f'Error parsing {package_nvbs_parts} from {conda_list_str} IndexError: {str(e)}')
+
+    return CondaPackage(
+        base_url=package_url.geturl(), build_number=build_number, build_string=build_string,
+        channel=package_url.path[1:], dist_name=f'{package_name}-{build_version}-{build_string}',
+        name=package_name, platform=package_arch, version=build_version, md5_hash=package_hash
+    )

cyclonedx/utils/conda.py

@@ -0,0 +1,38 @@
+# This file may be used to create an environment using:
+# $ conda create --name <env> --file <this file>
+# platform: osx-64
+@EXPLICIT
+https://repo.anaconda.com/pkgs/main/osx-64/ca-certificates-2021.7.5-hecd8cb5_1.conda#c2d0ae65c08dacdcf86770b7b5bbb187
+https://repo.anaconda.com/pkgs/main/osx-64/libcxx-10.0.0-1.conda#86574bfd5bcf4921237da41c07534cdc
+https://repo.anaconda.com/pkgs/main/noarch/tzdata-2021a-h52ac0ba_0.conda#d42e4db918af84a470286e4c300604a3
+https://repo.anaconda.com/pkgs/main/osx-64/xz-5.2.5-h1de35cc_0.conda#f38610dab0f2b0cb05f1b31f354113c5
+https://repo.anaconda.com/pkgs/main/osx-64/yaml-0.2.5-haf1e3a3_0.conda#73628ed86f99adf6a0cb81dd20e426cd
+https://repo.anaconda.com/pkgs/main/osx-64/zlib-1.2.11-h1de35cc_3.conda#67bb31afee816662edebfc3171360ccf
+https://repo.anaconda.com/pkgs/main/osx-64/libffi-3.3-hb1e8313_2.conda#0c959d444ac65555cb836cdbd3e9a2d9
+https://repo.anaconda.com/pkgs/main/osx-64/ncurses-6.2-h0a44026_1.conda#649f497ed2ff2704749256d3532d144b
+https://repo.anaconda.com/pkgs/main/osx-64/openssl-1.1.1k-h9ed2024_0.conda#2ecbfa7a9684bbaaa057c6dac778abc3
+https://repo.anaconda.com/pkgs/main/osx-64/tk-8.6.10-hb0a8c7a_0.conda#2f199f5862f5b000479408673eadb88d
+https://repo.anaconda.com/pkgs/main/osx-64/readline-8.1-h9ed2024_0.conda#ce1a650fddb885c47ccdb28c90a2057a
+https://repo.anaconda.com/pkgs/main/osx-64/sqlite-3.36.0-hce871da_0.conda#7e47a43e94a61ad1c7a5d910c5e970fd
+https://repo.anaconda.com/pkgs/main/osx-64/python-3.9.5-h88f2d9e_3.conda#f10a9a3fd6b0936cc05f9e94e06a2d94
+https://repo.anaconda.com/pkgs/main/osx-64/certifi-2021.5.30-py39hecd8cb5_0.conda#48a9d5f197fbcef83387ca18e7216068
+https://repo.anaconda.com/pkgs/main/osx-64/chardet-4.0.0-py39hecd8cb5_1003.conda#535b448899dcf60a12dc683a90be5c0c
+https://repo.anaconda.com/pkgs/main/noarch/idna-2.10-pyhd3eb1b0_0.tar.bz2#153ff132f593ea80aae2eea61a629c92
+https://repo.anaconda.com/pkgs/main/osx-64/pycosat-0.6.3-py39h9ed2024_0.conda#625905706ac243fae350f4dfc63e1b2d
+https://repo.anaconda.com/pkgs/main/noarch/pycparser-2.20-py_2.conda#fcfeb621c6f895f3562ff01d9d6ce959
+https://repo.anaconda.com/pkgs/main/osx-64/pysocks-1.7.1-py39hecd8cb5_0.conda#4765ca1a39ea5287cbe170734ac83e37
+https://repo.anaconda.com/pkgs/main/osx-64/python.app-3-py39h9ed2024_0.conda#8a562918b61f71b3cac387cec842cbd2
+https://repo.anaconda.com/pkgs/main/osx-64/ruamel_yaml-0.15.100-py39h9ed2024_0.conda#d7abc88ed5b3a8d9e4af95b8a64d87fe
+https://repo.anaconda.com/pkgs/main/noarch/six-1.16.0-pyhd3eb1b0_0.conda#529b369e1accc75b89f2d7e184a898d0
+https://repo.anaconda.com/pkgs/main/noarch/tqdm-4.61.2-pyhd3eb1b0_1.conda#f061c1548e813e7544d0017a71651e04
+https://repo.anaconda.com/pkgs/main/noarch/wheel-0.36.2-pyhd3eb1b0_0.conda#31029affc034e8c7203202417cebd157
+https://repo.anaconda.com/pkgs/main/osx-64/cffi-1.14.6-py39h2125817_0.conda#78ee9d3613c9f3f50a9eb4acd45bc747
+https://repo.anaconda.com/pkgs/main/osx-64/conda-package-handling-1.7.3-py39h9ed2024_1.conda#04a0be0e0f5bad8d8fc7ebe4803ea446
+https://repo.anaconda.com/pkgs/main/osx-64/setuptools-52.0.0-py39hecd8cb5_0.conda#5c9e48476978303d04650c21ee55f365
+https://repo.anaconda.com/pkgs/main/osx-64/brotlipy-0.7.0-py39h9ed2024_1003.conda#a08f6f5f899aff4a07351217b36fae41
+https://repo.anaconda.com/pkgs/main/osx-64/cryptography-3.4.7-py39h2fd3fbb_0.conda#822e8758f6e705c84b01480810eb24b6
+https://repo.anaconda.com/pkgs/main/osx-64/pip-21.1.3-py39hecd8cb5_0.conda#7bae540cbc7fdc9627b588c760b05e58
+https://repo.anaconda.com/pkgs/main/noarch/pyopenssl-20.0.1-pyhd3eb1b0_1.conda#ac62ddccf2e89f7a35867b2478a278af
+https://repo.anaconda.com/pkgs/main/noarch/urllib3-1.26.6-pyhd3eb1b0_1.conda#5c72bc4a5a4fc0420b0e73b3acb1f52b
+https://repo.anaconda.com/pkgs/main/noarch/requests-2.25.1-pyhd3eb1b0_0.conda#9d30b41b315403c7c74793b9b8d88580
+https://repo.anaconda.com/pkgs/main/osx-64/conda-4.10.3-py39hecd8cb5_0.tar.bz2#bc36833ee4a90c212e0695675bcfe120

tests/fixtures/conda-list-explicit-md5.txt

@@ -0,0 +1,38 @@
+# This file may be used to create an environment using:
+# $ conda create --name <env> --file <this file>
+# platform: osx-64
+@EXPLICIT
+https://repo.anaconda.com/pkgs/main/osx-64/ca-certificates-2021.7.5-hecd8cb5_1.conda
+https://repo.anaconda.com/pkgs/main/osx-64/libcxx-10.0.0-1.conda
+https://repo.anaconda.com/pkgs/main/noarch/tzdata-2021a-h52ac0ba_0.conda
+https://repo.anaconda.com/pkgs/main/osx-64/xz-5.2.5-h1de35cc_0.conda
+https://repo.anaconda.com/pkgs/main/osx-64/yaml-0.2.5-haf1e3a3_0.conda
+https://repo.anaconda.com/pkgs/main/osx-64/zlib-1.2.11-h1de35cc_3.conda
+https://repo.anaconda.com/pkgs/main/osx-64/libffi-3.3-hb1e8313_2.conda
+https://repo.anaconda.com/pkgs/main/osx-64/ncurses-6.2-h0a44026_1.conda
+https://repo.anaconda.com/pkgs/main/osx-64/openssl-1.1.1k-h9ed2024_0.conda
+https://repo.anaconda.com/pkgs/main/osx-64/tk-8.6.10-hb0a8c7a_0.conda
+https://repo.anaconda.com/pkgs/main/osx-64/readline-8.1-h9ed2024_0.conda
+https://repo.anaconda.com/pkgs/main/osx-64/sqlite-3.36.0-hce871da_0.conda
+https://repo.anaconda.com/pkgs/main/osx-64/python-3.9.5-h88f2d9e_3.conda
+https://repo.anaconda.com/pkgs/main/osx-64/certifi-2021.5.30-py39hecd8cb5_0.conda
+https://repo.anaconda.com/pkgs/main/osx-64/chardet-4.0.0-py39hecd8cb5_1003.conda
+https://repo.anaconda.com/pkgs/main/noarch/idna-2.10-pyhd3eb1b0_0.tar.bz2
+https://repo.anaconda.com/pkgs/main/osx-64/pycosat-0.6.3-py39h9ed2024_0.conda
+https://repo.anaconda.com/pkgs/main/noarch/pycparser-2.20-py_2.conda
+https://repo.anaconda.com/pkgs/main/osx-64/pysocks-1.7.1-py39hecd8cb5_0.conda
+https://repo.anaconda.com/pkgs/main/osx-64/python.app-3-py39h9ed2024_0.conda
+https://repo.anaconda.com/pkgs/main/osx-64/ruamel_yaml-0.15.100-py39h9ed2024_0.conda
+https://repo.anaconda.com/pkgs/main/noarch/six-1.16.0-pyhd3eb1b0_0.conda
+https://repo.anaconda.com/pkgs/main/noarch/tqdm-4.61.2-pyhd3eb1b0_1.conda
+https://repo.anaconda.com/pkgs/main/noarch/wheel-0.36.2-pyhd3eb1b0_0.conda
+https://repo.anaconda.com/pkgs/main/osx-64/cffi-1.14.6-py39h2125817_0.conda
+https://repo.anaconda.com/pkgs/main/osx-64/conda-package-handling-1.7.3-py39h9ed2024_1.conda
+https://repo.anaconda.com/pkgs/main/osx-64/setuptools-52.0.0-py39hecd8cb5_0.conda
+https://repo.anaconda.com/pkgs/main/osx-64/brotlipy-0.7.0-py39h9ed2024_1003.conda
+https://repo.anaconda.com/pkgs/main/osx-64/cryptography-3.4.7-py39h2fd3fbb_0.conda
+https://repo.anaconda.com/pkgs/main/osx-64/pip-21.1.3-py39hecd8cb5_0.conda
+https://repo.anaconda.com/pkgs/main/noarch/pyopenssl-20.0.1-pyhd3eb1b0_1.conda
+https://repo.anaconda.com/pkgs/main/noarch/urllib3-1.26.6-pyhd3eb1b0_1.conda
+https://repo.anaconda.com/pkgs/main/noarch/requests-2.25.1-pyhd3eb1b0_0.conda
+https://repo.anaconda.com/pkgs/main/osx-64/conda-4.10.3-py39hecd8cb5_0.tar.bz2