Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🐛 Give inconclusive Vulnerabilities score when osv-scanner panics #2896

Merged
merged 3 commits into from
Apr 24, 2023

Conversation

spencerschrock
Copy link
Member

What kind of change does this PR introduce?

bug fix

What is the current behavior?

osv-scanner occasionally panics when analyzing a repository, which crashes Scorecard

While I try to report these and get them fixed upstream, it negatively impacts Scorecard in the meanwhile.

What is the new behavior (if this is a feature change)?**

  • We recover from the panics so we can return an inconclusive -1 score for the Vulnerabilities check.
    • Since these runtime errors are logged, they can still be reported upstream to osv-scanner
  • Updated osv-scanner for performance related reasons relating to Regexp compilation taking a long time google/osv-scanner#333, which will benefit the cron
  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

NONE

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

The Vulnerabilities check will now give an inconclusive score if the OSV vulnerabilities client panics instead of crashing Scorecard too.

This allows us to give an inconclusive score instead of crashing.

Signed-off-by: Spencer Schrock <sschrock@google.com>
google/osv-scanner#346
Signed-off-by: Spencer Schrock <sschrock@google.com>
@codecov
Copy link

codecov bot commented Apr 21, 2023

Codecov Report

Merging #2896 (72cfea5) into main (d31e28a) will decrease coverage by 0.02%.
The diff coverage is 0.00%.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2896      +/-   ##
==========================================
- Coverage   51.73%   51.71%   -0.02%     
==========================================
  Files         158      158              
  Lines       12109    12113       +4     
==========================================
  Hits         6264     6264              
- Misses       5480     5484       +4     
  Partials      365      365              

@spencerschrock spencerschrock enabled auto-merge (squash) April 24, 2023 17:14
@spencerschrock spencerschrock temporarily deployed to integration-test April 24, 2023 17:14 — with GitHub Actions Inactive
@spencerschrock spencerschrock merged commit a4e72a8 into ossf:main Apr 24, 2023
@spencerschrock spencerschrock deleted the fix/osv-scanner-panics branch April 24, 2023 17:33
balteravishay pushed a commit to balteravishay/scorecard that referenced this pull request May 29, 2023
…sf#2896)

* Recover from osv-scanner panics.

This allows us to give an inconclusive score instead of crashing.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Bump osv-scanner to include performance increase.

google/osv-scanner#346
Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants