Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Internal Go error when scanning a package internal to my own gitlab instance #4303

Open
andrew-lovato opened this issue Aug 16, 2024 · 1 comment
Labels
kind/bug Something isn't working

Comments

@andrew-lovato
Copy link

andrew-lovato commented Aug 16, 2024

Describe the bug
A clear and concise description of what the bug is.

My company hosts their own gitlab instance. To ping the API we use - https://git.foo.bar.com/api/v4
If I want to navigate to a repo - https://git.foo.bar.com/repo-name

In order to scan an INTERNAL package (to our self hosted GitLab instance) I have upgraded our binary to version 5.0.0 and pass GL_HOST = "git.foo.bar.com/" I have also tried GL_HOST = "https://git.foo.bar.com/api/v4" and also GL_HOST = "git.foo.bar.com". Each time, when I run an internal package I get the following error.

Response: CompletedProcess(args=['./bin/scorecard.bin', '--format', 'json', '--pypi', 'my-internal-package'], returncode=2, stdout=b'', stderr=b'panic: assignment to entry in nil map\n\ngoroutine 1 [running]:\ngithub.com/ossf/scorecard/v5/cmd.findGitRepositoryInPYPIResponse({0x7ffe4088a10d, 0x8}, {0x7f3647592080, 0xc00058a180})\n\tgithub.com/ossf/scorecard/v5@v5.0.0/cmd/package_managers.go:156 +0xe5\ngithub.com/ossf/scorecard/v5/cmd.fetchGitRepositoryFromPYPI({0x7ffe4088a10d, 0x8}, {0x19f7d68?, 0x260b560?})\n\tgithub.com/ossf/scorecard/v5@v5.0.0/cmd/package_managers.go:190 +0x17f\ngithub.com/ossf/scorecard/v5/cmd.fetchGitRepositoryFromPackageManagers({0x0?, 0xc000468c80?}, {0x7ffe4088a10d?, 0x74749b?}, {0x0?, 0x752c2c?}, {0x0?, 0x411abb?}, {0x19f7d68, 0x260b560})\n\tgithub.com/ossf/scorecard/v5@v5.0.0/cmd/package_managers.go:85 +0xfc\ngithub.com/ossf/scorecard/v5/cmd.rootCmd(0xc0002697a0)\n\tgithub.com/ossf/scorecard/v5@v5.0.0/cmd/root.go:85 +0x98\ngithub.com/ossf/scorecard/v5/cmd.New.func2(0xc0001c0008?, {0x17c18e8?, 0x4?, 0x17c1870?})\n\tgithub.com/ossf/scorecard/v5@v5.0.0/cmd/root.go:66 +0x17\ngithub.com/spf13/cobra.(*Command).execute(0xc0001c0008, {0xc0000a2060, 0x4, 0x4})\n\tgithub.com/spf13/cobra@v1.8.1/command.go:985 +0xaca\ngithub.com/spf13/cobra.(*Command).ExecuteC(0xc0001c0008)\n\tgithub.com/spf13/cobra@v1.8.1/command.go:1117 +0x3ff\ngithub.com/spf13/cobra.(*Command).Execute(0xc0002697a0?)\n\tgithub.com/spf13/cobra@v1.8.1/command.go:1041 +0x13\nmain.main()\n\tgithub.com/ossf/scorecard/v5@v5.0.0/main.go:27 +0x1d\n')

This is the command that is being run ['./bin/scorecard.bin', '--format', 'json', '--pypi', 'my-internal-package'] where it is trying to install my package, and then perform the scan from there.

I have logged GL_HOST within my lambda and it is being set the way I have posted above, with the different examples.

If I scan an EXTERNAL package, one residing in github, it works correctly and I get the resulting scores etc. So I know the binary CAN run correctly with my current setup.

I am finding this error difficult to debug with as it doesn't seem immediately like it's pointing to a bad GL_HOST var, nor it is it pointing to any broader process as far as I can tell. I also know that the token is correct as we use it for most of our team's processes. I also would have expected an auth error if it wasn't using a token or if the token wasn't working for some reason.

I am running Python 3.9

Has this error been seen before? I would love help figuring out next steps.

Expected behavior
A clear and concise description of what you expected to happen.

I expect to pass a correct value to GL_HOST (if thats the issue) and be able to run scans on internal packages on scorecard version 5.0.0.

Additional context
Add any other context about the problem here.

@andrew-lovato andrew-lovato added the kind/bug Something isn't working label Aug 16, 2024
@andrew-lovato andrew-lovato changed the title Internal error when scanning a package internal to my own gitlab instance Internal Go error when scanning a package internal to my own gitlab instance Aug 16, 2024
@andrew-lovato andrew-lovato reopened this Aug 19, 2024
@spencerschrock
Copy link
Member

spencerschrock commented Aug 19, 2024

I think the error is specifically in the --pypi my-internal-package part. This code looks for the project_urls map in the API response from PyPI:

example: https://pypi.org/pypi/model-signing/json, or in your case https://pypi.org/pypi/<my-internal-package>/json

    "project_urls": {
      "Homepage": "https://github.com/sigstore/model-transparency",
      "Issues": "https://github.com/sigstore/model-transparency/issues",
      "Source": "https://github.com/sigstore/model-transparency"
    },

If this is an internal package, is it even published to PyPI? As an alternative, have you tried invoking scorecard as follows?

['./bin/scorecard.bin', '--format', 'json', '--repo', 'https://git.foo.bar.com/repo-name']

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Something isn't working
Projects
Status: Done
Development

No branches or pull requests

2 participants