Merge pull request #38 from CycloneDX/feat/conda-support

feat: add support for Conda

Author: madpah

README.md

@@ -49,6 +49,8 @@ You can use one of the parsers to obtain information about your project or envir
 
 | Parser | Class / Import | Description |
 | ------- | ------ | ------ |
+| CondaListJsonParser | `from cyclonedx.parser.conda import CondaListJsonParser` | Parses input provided as a `str` that is output from `conda list --json` |
+| CondaListExplicitParser | `from cyclonedx.parser.conda import CondaListExplicitParser` | Parses input provided as a `str` that is output from `conda list --explicit` or `conda list --explicit --md5` |
 | Environment | `from cyclonedx.parser.environment import EnvironmentParser` | Looks at the packaged installed in your current Python environment. |
 | PipEnvParser | `from cyclonedx.parser.pipenv import PipEnvParser` | Parses `Pipfile.lock` content passed in as a string. |
 | PipEnvFileParser | `from cyclonedx.parser.pipenv import PipEnvFileParser` | Parses the `Pipfile.lock` file at the supplied path. |
@@ -194,6 +196,11 @@ _Note: We refer throughout using XPath, but the same is true for both XML and JS
          <td>Y</td><td>Y</td><td>Y</td><td>Y</td>
          <td>&nbsp;</td>
       </tr>
+      <tr>
+         <td><code>./externalReferences</code></td>
+         <td>Y</td><td>Y</td><td>Y</td><td>N/A</td>
+         <td>Not all Parsers have this information. It will be populated where there is information available.</td>
+      </tr>
       <tr>
          <td><code>./hashes</code></td>
          <td>Y</td><td>Y</td><td>Y</td><td>Y</td>

cyclonedx/parser/__init__.py

@@ -24,28 +24,28 @@
 information is obtained by each set of Parsers. It does NOT guarantee the information is output in the resulting
 CycloneDX BOM document.
 
-| Data Path | Environment | Pipenv | Poetry | Requirements |
+| Data Path | Conda | Environment | Pipenv | Poetry | Requirements |
 | ----------- | ----------- | ----------- | ----------- | ----------- |
-| `component.supplier` | N (if in package METADATA) | N/A | | |
-| `component.author` | Y (if in package METADATA) | N/A | | |
-| `component.publisher` | N (if in package METADATA) | N/A | | |
-| `component.group` | - | - | - | - |
-| `component.name` | Y | Y | Y | Y |
-| `component.version` | Y | Y | Y | Y |
-| `component.description` | N | N/A | N | N/A |
-| `component.scope` | N | N/A | N | N/A |
-| `component.hashes` | N/A | Y - see below (1) | Y - see below (1) | N/A |
-| `component.licenses` | Y (if in package METADATA) | N/A | N/A | N/A |
-| `component.copyright` | N (if in package METADATA) | N/A | N/A | N/A |
-| `component.cpe` | _Deprecated_ | _Deprecated_ | _Deprecated_ | _Deprecated_ |
-| `component.purl` | Y | Y | Y | Y |
-| `component.swid` | N/A | N/A | N/A | N/A |
-| `component.modified` | _Deprecated_ | _Deprecated_ | _Deprecated_ | _Deprecated_ |
-| `component.pedigree` | N/A | N/A | N/A | N/A |
-| `component.externalReferences` | N/A | Y - see below (1) | Y - see below (1) | N/A |
-| `component.properties` | N/A | N/A | N/A | N/A |
-| `component.components` | N/A | N/A | N/A | N/A |
-| `component.evidence` | N/A | N/A | N/A | N/A |
+| `component.supplier` | N | N (if in package METADATA) | N/A | | |
+| `component.author` | N | Y (if in package METADATA) | N/A | | |
+| `component.publisher` | N | N (if in package METADATA) | N/A | | |
+| `component.group` | - | - | - | - | - |
+| `component.name` | Y |Y | Y | Y | Y |
+| `component.version` | Y |Y | Y | Y | Y |
+| `component.description` | N |N | N/A | N | N/A |
+| `component.scope` | N |N | N/A | N | N/A |
+| `component.hashes` | Y - see below (2) | N/A | Y - see below (1) | Y - see below (1) | N/A |
+| `component.licenses` | N | Y (if in package METADATA) | N/A | N/A | N/A |
+| `component.copyright` | N |N (if in package METADATA) | N/A | N/A | N/A |
+| `component.cpe` | _Deprecated_ |_Deprecated_ | _Deprecated_ | _Deprecated_ | _Deprecated_ |
+| `component.purl` | Y |Y | Y | Y | Y |
+| `component.swid` | N/A |N/A | N/A | N/A | N/A |
+| `component.modified` | _Deprecated_ |_Deprecated_ | _Deprecated_ | _Deprecated_ | _Deprecated_ |
+| `component.pedigree` | N/A |N/A | N/A | N/A | N/A |
+| `component.externalReferences` | Y - see below (3) | N/A | Y - see below (1) | Y - see below (1) | N/A |
+| `component.properties` | N/A | N/A | N/A | N/A | N/A |
+| `component.components` | N/A | N/A | N/A | N/A | N/A |
+| `component.evidence` | N/A | N/A | N/A | N/A | N/A |
 
 **Legend:**
 
@@ -61,6 +61,9 @@
     supports only a single set of hashes identifying a single artefact at `component.hashes`. To cater for this
     situation in Python, we add the hashes to `component.externalReferences`, as we cannot determine which package was
     actually obtained and installed to meet a given dependency.
+2. MD5 hashses are available when using the `CondaListExplicitParser` with output from the conda command
+    `conda list --explicit --md5` only.
+3. For Conda, we provide a link to the registry as provided in the Conda output.
 
 """
 

cyclonedx/parser/conda.py

@@ -0,0 +1,97 @@
+# encoding: utf-8
+
+# This file is part of CycloneDX Python Lib
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+import json
+from abc import abstractmethod
+from typing import List
+
+from . import BaseParser
+from ..model import ExternalReference, ExternalReferenceType
+from ..model.component import Component
+from ..utils.conda import parse_conda_json_to_conda_package, parse_conda_list_str_to_conda_package, CondaPackage
+
+
+class _BaseCondaParser(BaseParser):
+    """
+    Internal abstract parser - not for programatic use.
+
+    """
+    def __init__(self, conda_data: str):
+        super().__init__()
+        self._conda_packages: List[CondaPackage] = []
+        self._parse_to_conda_packages(data_str=conda_data)
+        self._conda_packages_to_components()
+
+    @abstractmethod
+    def _parse_to_conda_packages(self, data_str: str):
+        """
+        Abstract method for implementation by concrete Conda Parsers
+
+        Params:
+            data_str:
+                `str` data passed into the Parser
+
+        Returns:
+            A `list` of `CondaPackage` instances parsed.
+        """
+        pass
+
+    def _conda_packages_to_components(self):
+        """
+        Converts the parsed `CondaPackage` instances into `Component` instances.
+
+        """
+        for conda_package in self._conda_packages:
+            c = Component(
+                name=conda_package['name'], version=str(conda_package['version'])
+            )
+            c.add_external_reference(ExternalReference(
+                reference_type=ExternalReferenceType.DISTRIBUTION,
+                url=conda_package['base_url'],
+                comment=f"Distribution name {conda_package['dist_name']}"
+            ))
+
+            self._components.append(c)
+
+
+class CondaListJsonParser(_BaseCondaParser):
+    """
+    This parser is intended to receive the output from the command `conda list --json`.
+    """
+
+    def _parse_to_conda_packages(self, data_str: str):
+        conda_list_content = json.loads(data_str)
+
+        for package in conda_list_content:
+            conda_package = parse_conda_json_to_conda_package(conda_json_str=json.dumps(package))
+            if conda_package:
+                self._conda_packages.append(conda_package)
+
+
+class CondaListExplicitParser(_BaseCondaParser):
+    """
+    This parser is intended to receive the output from the command `conda list --explicit` or
+    `conda list --explicit --md5`.
+    """
+
+    def _parse_to_conda_packages(self, data_str: str):
+        for line in data_str.replace('\r\n', '\n').split('\n'):
+            line = line.strip()
+            conda_package = parse_conda_list_str_to_conda_package(conda_list_str=line)
+            if conda_package:
+                self._conda_packages.append(conda_package)

cyclonedx/utils/__init__.py

@@ -0,0 +1,122 @@
+# encoding: utf-8
+
+# This file is part of CycloneDX Python Lib
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+import json
+import sys
+from json import JSONDecodeError
+from typing import Union
+
+if sys.version_info >= (3, 8, 0):
+    from typing import TypedDict
+else:
+    from typing_extensions import TypedDict
+
+from urllib.parse import urlparse
+
+
+class CondaPackage(TypedDict):
+    """
+    Internal package for unifying Conda package definitions to.
+    """
+    base_url: str
+    build_number: int
+    build_string: str
+    channel: str
+    dist_name: str
+    name: str
+    platform: str
+    version: str
+    md5_hash: str
+
+
+def parse_conda_json_to_conda_package(conda_json_str: str) -> Union[CondaPackage, None]:
+    try:
+        package_data = json.loads(conda_json_str)
+    except JSONDecodeError:
+        print(f'Failed to decode JSON: {conda_json_str}')
+        raise ValueError(f'Invalid JSON supplied - cannot be parsed: {conda_json_str}')
+
+    if 'md5_hash' not in package_data.keys():
+        package_data['md5_hash'] = None
+
+    if isinstance(package_data, dict):
+        return CondaPackage(**package_data)
+
+    return None
+
+
+def parse_conda_list_str_to_conda_package(conda_list_str: str) -> Union[CondaPackage, None]:
+    """
+    Helper method for parsing a line of output from `conda list --explicit` into our internal `CondaPackage` object.
+
+    Params:
+        conda_list_str:
+            Line of output from `conda list --explicit`
+
+    Returns:
+        Instance of `CondaPackage` else `None`.
+    """
+
+    line = conda_list_str.strip()
+
+    if line[0:1] == '#' or line[0:1] == '@' or len(line) == 0:
+        # Skip comments, @EXPLICT or empty lines
+        return None
+
+    # Remove any hash
+    package_hash: str = None
+    if '#' in line:
+        hash_parts = line.split('#')
+        if len(hash_parts) > 1:
+            package_hash = hash_parts.pop()
+            line = ''.join(hash_parts)
+
+    package_parts = line.split('/')
+    package_name_version_build_string = package_parts.pop()
+    package_arch = package_parts.pop()
+    package_url = urlparse('/'.join(package_parts))
+
+    try:
+        package_nvbs_parts = package_name_version_build_string.split('-')
+        build_number_with_opt_string = package_nvbs_parts.pop()
+        if '.' in build_number_with_opt_string:
+            # Remove any .conda at the end if present or other package type eg .tar.gz
+            pos = build_number_with_opt_string.find('.')
+            build_number_with_opt_string = build_number_with_opt_string[0:pos]
+
+        if '_' in build_number_with_opt_string:
+            bnbs_parts = build_number_with_opt_string.split('_')
+            if len(bnbs_parts) == 2:
+                build_number = int(bnbs_parts.pop())
+                build_string = build_number_with_opt_string
+            else:
+                raise ValueError(f'Unexpected build version string for Conda Package: {conda_list_str}')
+        else:
+            build_string = None
+            build_number = int(build_number_with_opt_string)
+
+        build_version = package_nvbs_parts.pop()
+        package_name = '-'.join(package_nvbs_parts)
+    except IndexError as e:
+        raise ValueError(f'Error parsing {package_nvbs_parts} from {conda_list_str} IndexError: {str(e)}')
+
+    return CondaPackage(
+        base_url=package_url.geturl(), build_number=build_number, build_string=build_string,
+        channel=package_url.path[1:], dist_name=f'{package_name}-{build_version}-{build_string}',
+        name=package_name, platform=package_arch, version=build_version, md5_hash=package_hash
+    )

cyclonedx/utils/conda.py

@@ -41,8 +41,9 @@ python = "^3.6"
 packageurl-python = "^0.9.4"
 requirements_parser = "^0.2.0"
 setuptools = "^50.3.2"
-importlib-metadata = "^4.8.1"
+importlib-metadata = { version = "^4.8.1", python = "~3.6 | ~3.7" }
 toml = "^0.10.2"
+typing-extensions = { version = "^3.10.0", python = "~3.6 | ~3.7" }
 
 [tool.poetry.dev-dependencies]
 tox = "^3.24.3"