BUG: Scorecard's npm search doesn't match exact #2441

scovetta · 2022-11-08T22:56:05Z

Describe the bug
The Scorecard npm package integration uses the npm registry full text search function, which seems to omit deprecated packages. This means when searching for left-pad, you get the package repeat-string, which causes a later failure:

Error: GetClients: getting local directory client: error during parse: invalid repo flag: . Exepted full repository url

https://registry.npmjs.org/-/v1/search?text=left-pad&size=1

I think the call could be changed to just registry.npmjs.org/<package name>, but you'd have to find the best repository URL (probably in versions[dist-tags.latest].repository.url). Or, if there's an advantage to doing it the current way, then try that first and then fall back to the direct URL.

Reproduction steps
Steps to reproduce the behavior:

Run Scorecard against left-pad:

docker run -e GITHUB_AUTH_TOKEN=XXXXXXXXXXXXXXXXXXXXXX gcr.io/openssf/scorecard:stable --npm=left-pad --show-details

See the error:

Error: GetClients: getting local directory client: error during parse: invalid repo flag: . Exepted full repository url
2022/11/08 22:47:42 error during command execution: GetClients: getting local directory client: error during parse: invalid repo flag: . Exepted full repository url

Expected behavior
For left-pad, it should attempt to load the GitHub repository URL.

Additional context
N/A

The text was updated successfully, but these errors were encountered:

Signed-off-by: aklevans <alexklevans@gmail.com>

…pm database (#4118) * Update endpoint used when getting repo from npm to solve #3166 Signed-off-by: aklevans <alexklevans@gmail.com> * Update test files to account for endpoint change when getting repo from npm Signed-off-by: aklevans <alexklevans@gmail.com> * Fix linter issues Signed-off-by: aklevans <alexklevans@gmail.com> * Added unit tests for #3166 and #2441 Signed-off-by: aklevans <alexklevans@gmail.com> * fix linter issues and reduce mock json output in package_manager_test to only include necessary data Signed-off-by: aklevans <alexklevans@gmail.com> * fix linter issues in package_managers.go Signed-off-by: aklevans <alexklevans@gmail.com> * convert windows line breaks to linux Signed-off-by: aklevans <alexklevans@gmail.com> * reduce test case size, still has windows line breaks Signed-off-by: aklevans <alexklevans@gmail.com> * Fix unit tests Signed-off-by: aklevans <alexklevans@gmail.com> * attempt linter fix Signed-off-by: aklevans <alexklevans@gmail.com> * Fix linter issues stemming from windows line breaks Signed-off-by: aklevans <alexklevans@gmail.com> * Remove magic number and rename variable to be more accurate Signed-off-by: aklevans <alexklevans@gmail.com> --------- Signed-off-by: aklevans <alexklevans@gmail.com> Signed-off-by: aklevans <105876795+aklevans@users.noreply.github.com>

spencerschrock · 2024-06-05T17:16:16Z

Fixed by #4118

…pm database (ossf#4118) * Update endpoint used when getting repo from npm to solve ossf#3166 Signed-off-by: aklevans <alexklevans@gmail.com> * Update test files to account for endpoint change when getting repo from npm Signed-off-by: aklevans <alexklevans@gmail.com> * Fix linter issues Signed-off-by: aklevans <alexklevans@gmail.com> * Added unit tests for ossf#3166 and ossf#2441 Signed-off-by: aklevans <alexklevans@gmail.com> * fix linter issues and reduce mock json output in package_manager_test to only include necessary data Signed-off-by: aklevans <alexklevans@gmail.com> * fix linter issues in package_managers.go Signed-off-by: aklevans <alexklevans@gmail.com> * convert windows line breaks to linux Signed-off-by: aklevans <alexklevans@gmail.com> * reduce test case size, still has windows line breaks Signed-off-by: aklevans <alexklevans@gmail.com> * Fix unit tests Signed-off-by: aklevans <alexklevans@gmail.com> * attempt linter fix Signed-off-by: aklevans <alexklevans@gmail.com> * Fix linter issues stemming from windows line breaks Signed-off-by: aklevans <alexklevans@gmail.com> * Remove magic number and rename variable to be more accurate Signed-off-by: aklevans <alexklevans@gmail.com> --------- Signed-off-by: aklevans <alexklevans@gmail.com> Signed-off-by: aklevans <105876795+aklevans@users.noreply.github.com> Signed-off-by: balteraivshay <avishay.balter@gmail.com>

scovetta added the kind/bug Something isn't working label Nov 8, 2022

spencerschrock mentioned this issue Apr 15, 2024

BUG: --npm wrong input does not throw error #3166

Closed

aklevans added a commit to aklevans/scorecard that referenced this issue May 21, 2024

Added unit tests for ossf#3166 and ossf#2441

ebdc7be

Signed-off-by: aklevans <alexklevans@gmail.com>

aklevans mentioned this issue May 21, 2024

🐛 Use direct endpoint instead of search to find repository URL from npm database #4118

Merged

1 task

spencerschrock closed this as completed Jun 5, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

BUG: Scorecard's npm search doesn't match exact #2441

BUG: Scorecard's npm search doesn't match exact #2441

scovetta commented Nov 8, 2022

spencerschrock commented Jun 5, 2024

BUG: Scorecard's npm search doesn't match exact #2441

BUG: Scorecard's npm search doesn't match exact #2441

Comments

scovetta commented Nov 8, 2022

spencerschrock commented Jun 5, 2024