Modifiers in Conda package URL not handled by OSS Index

[riccardoporreca]

I am trying to use jake to query vulnerabilties of conda package as listed from an environment.

This constructs a Conda packge URL (purl) as described in https://github.com/package-url/purl-spec/blob/f729aec79e3e13ac709d6675788634e53fe4d571/PURL-TYPES.rst#conda, which includes a number of qualifiers, e.g.

pkg:conda/[email protected]?build=py36h06a4308_0&channel=main&subdir=linux-64&type=tar.bz2

However, the OSS index component report (and underlying API) are not able to retrieve vulnerabilities maintained in the OSS index agnostic of such modifiers, i.e. for pkg:conda/pkg-name@version only

Example

from ossindex.ossindex import OssIndex
from ossindex.model import Vulnerability, OssIndexComponent
from packageurl import PackageURL
o = OssIndex()
results: list[OssIndexComponent] = o.get_component_report(packages=[
    PackageURL.from_string(purl='pkg:pypi/[email protected]'),
    PackageURL.from_string(purl='pkg:conda/[email protected]?build=py39h295c915_0&channel=main&subdir=linux-64&type=conda'),
    PackageURL.from_string(purl='pkg:conda/[email protected]'),
])
for r in results:
    print("{}: {} known vulnerabilities".format(r.coordinates, len(r.vulnerabilities)))
    v: Vulnerability
    for v in r.vulnerabilities:
        print('    - {}'.format(str(v)))

yields

pkg:pypi/[email protected]: 1 known vulnerabilities
    - <Vulnerability id=CVE-2020-13091, name=CVE-2020-13091, cvss_score=9.8>
pkg:conda/[email protected]?build=py39h295c915_0&channel=main&subdir=linux-64&type=conda: 0 known vulnerabilities
pkg:conda/[email protected]: 1 known vulnerabilities
    - <Vulnerability id=CVE-2020-13091, name=CVE-2020-13091, cvss_score=9.8>

[riccardoporreca]

This might be a (known) limitation of the OSS index for conda packages, where vulnerabilities are not maintained for the fully-qualified package URL. If that is the case, one might use only the pkg:conda/pkg-name@version part when using the OSS Index API