[BUG] Conda scanner not recognizing known vulnerability #150
Description
Describe the bug
I can't get Jake-conda scanner to recognize known vulnerabilities. Based on a screenshot from this Jake-Sonatype documentation (https://blog.sonatype.com/how-to-easily-identify-conda-vulnerabilities-using-sonatype-jake), I should get a vulnerability when I scan for this Conda dependency: openssl@1.1.1d. However, when I run the scanner, there are zero vulnerabilities found.
Please help me reproduce this or any other conda dependency vulnerabilities.
To Reproduce
Steps to reproduce the behavior:
- Convert this environment.yml file-code to conda list explicit:
name: jake-test
channels:
- conda-force
- defaults
dependencies: - openssl=1.1.1d
-
Once the conda explicit list is available (env.txt), run the Jake conda scanner against it using the following command:
'jake -w ddt -t CONDA -f "env.txt"' -
The Jake-conda scanner results will show 6 Audited Vulnerabilities and 0 Vulnerabilities Found.
Expected behavior
Based on the Sonatype documentation in the shared link, above, I expect the Jake-conda scanner to return at least 1 Vulnerability Found in the scan results.
Screenshots
Screenshot from Sonatype link, showing known vulnerability:
Here are my actual results showing no vulnerabilities. The results are from an Azure DevOps pipeline:
Here is what the env.txt file looks like:
Desktop (please complete the following information):
-conda version 23.11.0
-running code in Azure DevOps
Additional context
My goal is to reproduce any vulnerabilities using Jake's Conda scanner.