Plugin for vulnerability checking during/after solve

[abuettner93]

I'm interested in building a plugin that would run a scan of the packages solved for during install, and identify any known CVEs for those packages before install. Ideally the plugin would be configured to either prevent install of packages that were found vulnerable, or alert the user and ask if they want to proceed. This stems from a need to prevent vulnerable installations as much as possible, at least while there are known CVEs for those packages.

Unfortunately I'm new to the conda plugin world, so a bit of guidance would be helpful. Namely what entry point/hook would be useful for this kind of project. I would love to start building this, but I'm unsure if there is a way to do so without modifying a solver plugin.

In the event that this does need to apply to a solver, would opening an enhancement issue in mamba solver plugin be a better choice?

[travishathaway]

@abuettner93,

Sorry for the late response on this issue. We do have a plugin hook in place that may be able to help you achieve this. It's called the "post_solve" hook and will allow you to inspect the results of the solver and the packages it will install. I think it would be possible to take the packages that it will install and then run a CVE scan on them.

Here's some documentation about this specific plugin hook:

• https://docs.conda.io/projects/conda/en/stable/dev-guide/api/conda/plugins/hookspec/index.html#conda.plugins.hookspec.CondaSpecs.conda_post_solves

If you need some examples of what conda plugins look like, I would recommend looking at the projects linked to in the README of this repository.