🐛 Handle osvscanner errors on projects with no dependencies (#3803)

* handle osv errors for projects without packages Signed-off-by: Spencer Schrock <sschrock@google.com> * make test parallel Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>
ossf · Jan 19, 2024 · b556d93 · b556d93
1 parent 51f1732
commit b556d93
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/clients/osv.go b/clients/osv.go
@@ -56,7 +56,9 @@ func (v osvClient) ListUnfixedVulnerabilities(
 
 	response := VulnerabilitiesResponse{}
 
-	if err == nil { // No vulns found
+	// either no vulns found, or no packages detected by osvscanner, which likely means no vulns
+	// while there could still be vulns, not detecting any packages shouldn't be a runtime error.
+	if err == nil || errors.Is(err, osvscanner.NoPackagesFoundErr) {
 		return response, nil
 	}
 

diff --git a/clients/osv_test.go b/clients/osv_test.go
@@ -14,6 +14,7 @@
 package clients
 
 import (
+	"context"
 	"reflect"
 	"testing"
 )
@@ -46,3 +47,14 @@ func TestRemoveDuplicate(t *testing.T) {
 		})
 	}
 }
+
+func TestEmptyProject(t *testing.T) {
+	t.Parallel()
+	var client osvClient
+	var commit string
+	emptyDir := t.TempDir()
+	_, err := client.ListUnfixedVulnerabilities(context.Background(), commit, emptyDir)
+	if err != nil {
+		t.Fatalf("empty directory shouldn't throw an error: %v", err)
+	}
+}