feat: SBOM from conda-lock.yml file

[tboutelier]

Everything is in the title!
I am using conda-lock to build my python application. Right now, I can launch cyclone on the environment created thanks to the conda-lock file. But it would be nice to be able to make it directly from the conda-lock file.

Any chance this feature will come one day?

Best

[jkowalleck]

💭 Parsing a lockfile is always a tricky situation, since the proprietary lockfile data format is owned by third party.
If conda decided to change their data format, we need to adopt ... and this could start a chase and maintenance run.
We could utilize official lockfile parsers, but till, there might be a "better" way:

Why not bring the wish/need/topic for CycloneDX SBOM to the @conda team themselves, so they could implement it as a CLI tool feature and maintain it as needed.
Nowadays, package managers know that SBOM is a thing, they are waiting for a community request, to justify the effort of implementation ;-)
We, the CycloneDX team, had already good experience with this approach: community members did the first request to the ecosystems, and then we supported the package manager developers and ecosystem maintainers on their way of getting CycloneDX SBOM as a first party feature.
(see npm and conan2)

If the @conda people don't see a need for this topic or don't want to provide the feature themselves (because it is already a paid business case)
, then sure come back, so we can discuss a possible solution implemented in clonedx-python/cyclonedx-bom.

This being said, @tboutelier, please keep us updated if you get in contact with @conda

PS: the CycloneDX community is proud of their own solutions and implementations to get ecosystems enabled to do proper supply chain assessment, and we will continue doing so. We also love to see ecosystems adopting the topic. 🚀

[jkowalleck]

@bollwyvl
@conda (@costrouc @dbast @FFY00 @jakirkham @jezdez @LtDan33 @marcelotrevisani @mbargull @trallard)
do you have insights how to approach the idea of CycloneDX SBOM being an official conda CLI feature?

[tboutelier]

This is a good idea, I'm going to do that. I think it will need a little bit more than one request to make them move, but at least it is a start!

Any suggestion on how i should formulate this demand?

[marcelotrevisani]

I believe this can be added as s plugin for conda. But in my view it should not be part of the conda itself.

Please see

https://docs.conda.io/projects/conda/en/latest/dev-guide/plugins/index.html

[riccardoporreca]

@tboutelier, I have been addressing the same need by using conda-lock render to get an explicit file from the full YAML lockfile. This is what you can feed cyclonedx-py --conda with.
Hope this helps

[jkowalleck]

FYI: conda support will be dropped. see #622

[jkowalleck]

This feature will be part of the next/upcoming major release.
Changelog: see #605
Install via: pip install cyclonedx-bom==4.0.0rc1

Conda as a Package Manager is no longer supported since version 4.
However, conda's Python environments are fully supported via the other methods of this tool.