Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature] Only use Scorecard API so that we can use deps.dev/api/v3alpha #1947

Open
nathannaveen opened this issue Jun 4, 2024 · 4 comments
Open

[feature] Only use Scorecard API so that we can use deps.dev/api/v3alpha #1947

nathannaveen opened this issue Jun 4, 2024 · 4 comments
Labels
enhancement New feature or request

Comments

@nathannaveen
Copy link
Contributor

Context:
We are addressing the need to upgrade from deps.dev/api/v3 to deps.dev/api/v3alpha to implement batch querying, which will significantly speed up our runtime as highlighted in #1768.

Problem:
But, there is a single issue in moving up to deps.dev/api/v3alpha. GUAC currently uses OpenSSF Scorecard, which internally calls osv-scanner. Then, osv-scanner relies on deps.dev/api/v3, which calls the deps dev API with the command resolve.NewAPIClient https://github.com/google/deps.dev/blob/b352d7eeeae603a42092e50ad6a7aea2c594431b/util/resolve/api.go#L64.

The issue is that the command resolve.NewAPIClient works with the stable version deps.dev/api/v3 but not deps.dev/api/v3alpha.

Proposed Solution:
To leverage deps.dev/api/v3alpha and still use the Scorecard functionality we can:

  1. Utilize Scorecard API directly: Instead of using the Scorecard command, we will call the Scorecard API directly. This approach will bypass using osv-scanner as a dependency and allow us to implement the batch querying feature of deps.dev/api/v3alpha. This is partially being done in Including the Scorecard API #1938. We would need to additionally remove the actual scorecard call.

    guac/pkg/certifier/scorecard/scorecardRunner.go

    Line 82 in 64e4b0e

    res, err := sc.RunScorecard(s.ctx, repo, commitSHA, 0, enabledChecks, repoClient, ossFuzzClient, ciiClient, vulnsClient)
@nathannaveen nathannaveen added the enhancement New feature or request label Jun 4, 2024
@nathannaveen
Copy link
Contributor Author

👀 @pxp928 @jeffmendoza @lumjjb @mihaimaruseac

@lumjjb
Copy link
Contributor

lumjjb commented Jun 10, 2024

Based on discussion in the June 10 meeting, there is still a use case that could use the scorecard certifier functionality. Proposal is not to delete but move this to another repository under guacsec as a "contrib". @nathannaveen would you be interested in exploring this as a separate repo?

@nathannaveen
Copy link
Contributor Author

nathannaveen commented Jun 11, 2024
edited
Loading

@lumjjb thank you for the update from the meetings discussion! I would be interested in working on this.

@nathannaveen nathannaveen mentioned this issue Jun 21, 2024
Open
@nathannaveen
Copy link
Contributor Author

nathannaveen commented Jun 21, 2024
edited
Loading

I recently realized that we directly utilize osv-scanner.

guac/pkg/certifier/osv/osv.go

Line 27 in dad65eb

osv_scanner "github.com/google/osv-scanner/pkg/osv"

I didn't think of the direct osv-scanner dependency while creating this issue, so I think we should take a minute to rethink this before moving the scorecard certifier to another repo. Moving the scorecard certifier to another repo won't really solve our issue since we will still have the osv-scanner dependency (which intern gives us the deps.dev/api/v3 dependency).

Additionally, we will probably not be able to use the deps.dev/api/v3alpha API until it becomes stable because of #1768 (comment).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lumjjb @nathannaveen