Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] some deps.dev GetProject RPCs fail #1413

Open
mdeicas opened this issue Oct 16, 2023 · 1 comment · May be fixed by #1438
Open

[bug] some deps.dev GetProject RPCs fail #1413

mdeicas opened this issue Oct 16, 2023 · 1 comment · May be fixed by #1438
Labels
bug Something isn't working

Comments

@mdeicas
Copy link
Collaborator

mdeicas commented Oct 16, 2023
edited

Summary
In some calls to the deps.dev GetProject endpoint, the source repository argument is malformed. The arguments have a .git suffix, which is not expected by that endpoint.

More Detail
For any input to the deps.dev collector, an rpc is first made to GetVersion in part to retrieve a link to the source repository. These links are parsed by VcsToSrc. Then, the argument for the rpc to GetProject is created with that result here.

The source urls that deps.dev GetVersion returns are not all consistent. It seems that at least for npm packages, the urls have a .git suffix. For instance, see the results of the call for pkg:npm/@webassemblyjs/wasm-parser : https://api.deps.dev/v3alpha/systems/npm/packages/%40webassemblyjs%2Fwasm-parser/versions/1.11.6. In contrast, the link returned by the call for pkg:golang/google/wire does not have that suffix: https://api.deps.dev/v3alpha/systems/go/packages/github.com%2Fgoogle%2Fwire/versions/v0.5.0.

The .git suffix makes its way into the argument for the rpc to GetProject, which causes it to fail. For example, compare the following two calls.

(succeeds) https://api.deps.dev/v3alpha/projects/github.com%2Fxtuc%2Fwebassemblyjs
(fails) https://api.deps.dev/v3alpha/projects/github.com%2Fxtuc%2Fwebassemblyjs.git

Proposed Change
To remove the .git suffix if it is present in VcsToSrc.

To Reproduce
First, enable debug level logging . I don't think this can actually be done (I'll file an issue shortly), so in the meantime change the log in this line to Infof. Without making this change, the bug can be seen in that there are no CertifyScorecard nodes in the GQL instance.

  1. Start up Guac
  2. run guaccollect deps_dev --service-poll=false --use-csub=false --retrieve-dependencies=false "pkg:npm/@webassemblyjs/wasm-parser@1.11.6"

This is one of the logs:

{"level":"info","ts":1697493779.873081,"caller":"deps_dev/deps_dev.go:571","msg":"unable to get project for: github.com/xtuc/webassemblyjs.git, error: rpc error: code = NotFound desc = project not found"}

Expected behavior
The error message to not appear, the rpc to succeed, and scorecard information be ingested into Guac.

GUAC version
v0.3.0
@mdeicas mdeicas added the bug Something isn't working label Oct 16, 2023
@pxp928
Copy link
Collaborator

pxp928 commented Oct 16, 2023

Thanks @mdeicas! Good find

naveensrinivasan added a commit to naveensrinivasan/guac that referenced this issue Oct 25, 2023
@naveensrinivasan
Fixed incorrect depsdev getporject
916ad99 
- Fixed the issue of incorrect GetProject issue
- Fixes guacsec#1413

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
@naveensrinivasan naveensrinivasan linked a pull request Oct 25, 2023 that will close this issue
Open
6 tasks
naveensrinivasan added a commit to naveensrinivasan/guac that referenced this issue Oct 25, 2023
@naveensrinivasan
Fixed incorrect depsdev getporject
1843c45 
- Fixed the issue of incorrect GetProject issue
- Fixes guacsec#1413

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixed incorrect depsdev getporject naveensrinivasan/guac
2 participants
@mdeicas @pxp928