Scan conda lockfiles for CVEs

Drop a pinned conda ecosystem lockfile to check packages against OSV and NVD. Supports conda-lock YAML, mamba / pixi rattler locks, and explicit locks — with optional in-browser updates via mambajs.

How it works

conda-cve.tech reads a pinned conda ecosystem lockfile, lists every package and version, then checks public vulnerability databases. You get a per-package report with CVEs, severity, and whether each package was actually looked up.

  1. Parse the lockfile Supports conda-lock YAML, mamba / pixi JSON, and conda explicit locks. Plain environment.yml files without pinned versions are not supported.
  2. Map conda packages to lookup targets Python packages → query OSV.dev on the PyPI ecosystem using parselmouth (hash or channel name mapping).
  3. Scan native libraries via NVD C/C++ style packages (e.g. openssl, zlib) with no PyPI mapping are matched using CPE names from Repology bindings, then NVD.
  4. Build the report Each package lists CVEs (sorted by CVSS severity), advisory links, lookup method, and coverage — whether OSV/NVD responded so an empty list is meaningful.
  5. Update lockfiles (optional) For mamba JSON, explicit, conda-lock YAML, or pixi/rattler locks, update selected packages or the whole environment in your browser via mambajs (channels on prefix.dev or anaconda.org when the lock used it), then rescan CVEs on the server.

Supported formats

  • conda-lock / *-lock.yml
  • mamba JSON (lockVersion), rattler/pixi, conda-lock YAML, explicit — format from content, not the file name
  • conda-lock explicit (@EXPLICIT + URLs, including *.conda.lock)

Reading the results

  • no known CVEs + checked coverage → databases were queried; nothing reported for that version.
  • not checked → scan incomplete (e.g. NVD disabled); do not assume the package is safe.
  • Large locks with many native packages are faster with NVD_API_KEY set on the server (request a key).
CVSS — Common Vulnerability Scoring System

CVSS is an industry standard that rates vulnerability severity on a scale from 0.0 to 10.0. Higher scores mean greater technical severity. conda-cve.tech shows scores and labels from NVD and OSV; it does not compute CVSS locally. Read the full CVSS guide →

The base score describes the flaw itself (how exploitable, how bad the impact). It does not include your network exposure or compensating controls — use it to prioritize patches, not as the only risk signal.

Critical High Medium Low Unknown
Rating CVSS v3 base score Typical meaning
Critical 9.0 – 10.0 Exploitable with severe impact; patch urgently.
High 7.0 – 8.9 Serious impact or easy exploitation; prioritize remediation.
Medium 4.0 – 6.9 Moderate impact or harder to exploit; schedule a fix.
Low 0.1 – 3.9 Limited impact; address when convenient.
Unknown No CVSS score or label in the advisory yet.

Aliases such as MODERATE (NVD/OSV) are shown as Medium. Values like HIGH (7.5) mean severity band High with base score 7.5. Unknown means no CVSS data was published for that advisory yet.

REST API

Automate scans with HTTP JSON. The UI uses the same POST /v1/scan endpoint as curl and CI jobs. Full API reference → · OpenAPI JSON

Endpoints

MethodPathDescription
GET /health Liveness ({ "status": "ok" })
GET /openapi.json OpenAPI 3 schema
POST /v1/scan Scan a lockfile → JSON report

Provide a lockfile (pick one)

  • Uploadmultipart field lockfile
  • URL — JSON or form field url (https://…)
  • Inline — JSON content string

Quick example

curl -F lockfile=@conda-lock.yml BASE/v1/scan

Remote URL: curl -H 'Content-Type: application/json' -d '{"url":"https://…"}' BASE/v1/scan

Drop lockfile here or click to choose — conda-lock.yml, *.lock, env.lock.json, explicit.txt, …
Public http(s) URL (GitHub blob/… links are rewritten to raw), or upload a file above.
Select packages on each card, or use Update entire environment to re-solve all root specs (unpinned) to the latest compatible versions. Supported lock formats can be updated in the browser with mambajs; CVE rescan uses the server.