BUG: --npm wrong input does not throw error #3166

gabibguti · 2023-06-14T19:37:18Z

Describe the bug
Scorecard can receive as input the name of the package from npm, pypi and rubygems ecosystems as per the documentation. Reading the documentation, it was not clear to me that I needed to provide the package name and providing a package URL does not throw an error but runs the evaluation with a weird behavior.

Reproduction steps
Steps to reproduce the behavior:

Run Scorecard v4.10.2 with --npm=https://github.com/airbnb/lottie-web
See output results for repo: name: github.com/perrmadiafrrian/react-lottie-light

Expected behavior
I expected Scorecard would warn me I made a mistake in the --npm flag input and not run the evaluation for an unexpected repository.

Additional context
None.

The text was updated successfully, but these errors were encountered:

spencerschrock · 2023-06-14T21:02:00Z

Has to do with the implementation using npm's search functionality:
https://www.npmjs.com/search?q=https%3A%2F%2Fgithub.com%2Fairbnb%2Flottie-web

scorecard/cmd/package_managers.go

Lines 81 to 84 in 4cd5446

    
           func fetchGitRepositoryFromNPM(packageName string, packageManager packageManagerClient) (string, error) { 
        
           	npmSearchURL := "https://registry.npmjs.org/-/v1/search?text=%s&size=1" 
        
           	resp, err := packageManager.Get(npmSearchURL, packageName) 
        
           	if err != nil {

If we do a different endpoint, could probably catch this sort of thing:
https://registry.npmjs.org/<package>

https://registry.npmjs.org/lottie-web works
https://registry.npmjs.org/https://github.com/airbnb/lottie-web doesn't work

spencerschrock · 2024-04-15T19:59:46Z

Also related to #2441

Signed-off-by: aklevans <alexklevans@gmail.com>

…pm database (#4118) * Update endpoint used when getting repo from npm to solve #3166 Signed-off-by: aklevans <alexklevans@gmail.com> * Update test files to account for endpoint change when getting repo from npm Signed-off-by: aklevans <alexklevans@gmail.com> * Fix linter issues Signed-off-by: aklevans <alexklevans@gmail.com> * Added unit tests for #3166 and #2441 Signed-off-by: aklevans <alexklevans@gmail.com> * fix linter issues and reduce mock json output in package_manager_test to only include necessary data Signed-off-by: aklevans <alexklevans@gmail.com> * fix linter issues in package_managers.go Signed-off-by: aklevans <alexklevans@gmail.com> * convert windows line breaks to linux Signed-off-by: aklevans <alexklevans@gmail.com> * reduce test case size, still has windows line breaks Signed-off-by: aklevans <alexklevans@gmail.com> * Fix unit tests Signed-off-by: aklevans <alexklevans@gmail.com> * attempt linter fix Signed-off-by: aklevans <alexklevans@gmail.com> * Fix linter issues stemming from windows line breaks Signed-off-by: aklevans <alexklevans@gmail.com> * Remove magic number and rename variable to be more accurate Signed-off-by: aklevans <alexklevans@gmail.com> --------- Signed-off-by: aklevans <alexklevans@gmail.com> Signed-off-by: aklevans <105876795+aklevans@users.noreply.github.com>

…pm database (ossf#4118) * Update endpoint used when getting repo from npm to solve ossf#3166 Signed-off-by: aklevans <alexklevans@gmail.com> * Update test files to account for endpoint change when getting repo from npm Signed-off-by: aklevans <alexklevans@gmail.com> * Fix linter issues Signed-off-by: aklevans <alexklevans@gmail.com> * Added unit tests for ossf#3166 and ossf#2441 Signed-off-by: aklevans <alexklevans@gmail.com> * fix linter issues and reduce mock json output in package_manager_test to only include necessary data Signed-off-by: aklevans <alexklevans@gmail.com> * fix linter issues in package_managers.go Signed-off-by: aklevans <alexklevans@gmail.com> * convert windows line breaks to linux Signed-off-by: aklevans <alexklevans@gmail.com> * reduce test case size, still has windows line breaks Signed-off-by: aklevans <alexklevans@gmail.com> * Fix unit tests Signed-off-by: aklevans <alexklevans@gmail.com> * attempt linter fix Signed-off-by: aklevans <alexklevans@gmail.com> * Fix linter issues stemming from windows line breaks Signed-off-by: aklevans <alexklevans@gmail.com> * Remove magic number and rename variable to be more accurate Signed-off-by: aklevans <alexklevans@gmail.com> --------- Signed-off-by: aklevans <alexklevans@gmail.com> Signed-off-by: aklevans <105876795+aklevans@users.noreply.github.com> Signed-off-by: balteraivshay <avishay.balter@gmail.com>

gabibguti added the kind/bug Something isn't working label Jun 14, 2023

spencerschrock added the area/cli Command Line Interface label Jun 14, 2023

spencerschrock added the good first issue Good for newcomers label Apr 15, 2024

aklevans added a commit to aklevans/scorecard that referenced this issue May 20, 2024

Update endpoint used when getting repo from npm to solve ossf#3166

71ac533

aklevans mentioned this issue May 20, 2024

🐛 Use direct endpoint instead of search to find repository URL from npm database #4118

Merged

1 task

aklevans added a commit to aklevans/scorecard that referenced this issue May 20, 2024

Update endpoint used when getting repo from npm to solve ossf#3166

da353db

Signed-off-by: aklevans <alexklevans@gmail.com>

aklevans added a commit to aklevans/scorecard that referenced this issue May 21, 2024

Added unit tests for ossf#3166 and ossf#2441

ebdc7be

Signed-off-by: aklevans <alexklevans@gmail.com>

spencerschrock closed this as completed in #4118 Jun 5, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

BUG: --npm wrong input does not throw error #3166

BUG: --npm wrong input does not throw error #3166

gabibguti commented Jun 14, 2023

spencerschrock commented Jun 14, 2023 •

edited

Loading

spencerschrock commented Apr 15, 2024

BUG: --npm wrong input does not throw error #3166

BUG: --npm wrong input does not throw error #3166

Comments

gabibguti commented Jun 14, 2023

spencerschrock commented Jun 14, 2023 • edited Loading

spencerschrock commented Apr 15, 2024

spencerschrock commented Jun 14, 2023 •

edited

Loading