guac icon indicating copy to clipboard operation
guac copied to clipboard

Published 20 hours ago verified publisher icon guacsec

[feature] Only use Scorecard API so that we can use deps.dev/api/v3alpha

Open nathannaveen opened this issue 1 year ago • 4 comments

Context: We are addressing the need to upgrade from deps.dev/api/v3 to deps.dev/api/v3alpha to implement batch querying, which will significantly speed up our runtime as highlighted in https://github.com/guacsec/guac/issues/1768.

Problem: But, there is a single issue in moving up to deps.dev/api/v3alpha. GUAC currently uses OpenSSF Scorecard, which internally calls osv-scanner. Then, osv-scanner relies on deps.dev/api/v3, which calls the deps dev API with the command resolve.NewAPIClient https://github.com/google/deps.dev/blob/b352d7eeeae603a42092e50ad6a7aea2c594431b/util/resolve/api.go#L64.

The issue is that the command resolve.NewAPIClient works with the stable version deps.dev/api/v3 but not deps.dev/api/v3alpha.

Proposed Solution: To leverage deps.dev/api/v3alpha and still use the Scorecard functionality we can:

  1. Utilize Scorecard API directly: Instead of using the Scorecard command, we will call the Scorecard API directly. This approach will bypass using osv-scanner as a dependency and allow us to implement the batch querying feature of deps.dev/api/v3alpha. This is partially being done in https://github.com/guacsec/guac/pull/1938. We would need to additionally remove the actual scorecard call. https://github.com/guacsec/guac/blob/64e4b0ee5338816b6757c901d11638653e48b5fb/pkg/certifier/scorecard/scorecardRunner.go#L82

nathannaveen avatar Jun 04 '24 18:06 nathannaveen

👀 @pxp928 @jeffmendoza @lumjjb @mihaimaruseac

nathannaveen avatar Jun 04 '24 18:06 nathannaveen

Based on discussion in the June 10 meeting, there is still a use case that could use the scorecard certifier functionality. Proposal is not to delete but move this to another repository under guacsec as a "contrib". @nathannaveen would you be interested in exploring this as a separate repo?

lumjjb avatar Jun 10 '24 15:06 lumjjb

@lumjjb thank you for the update from the meetings discussion! I would be interested in working on this.

nathannaveen avatar Jun 11 '24 19:06 nathannaveen

I recently realized that we directly utilize osv-scanner. https://github.com/guacsec/guac/blob/dad65eb57ce9ffe9db2d49ba3cda097a48191eda/pkg/certifier/osv/osv.go#L27

I didn't think of the direct osv-scanner dependency while creating this issue, so I think we should take a minute to rethink this before moving the scorecard certifier to another repo. Moving the scorecard certifier to another repo won't really solve our issue since we will still have the osv-scanner dependency (which intern gives us the deps.dev/api/v3 dependency).

Additionally, we will probably not be able to use the deps.dev/api/v3alpha API until it becomes stable because of https://github.com/guacsec/guac/issues/1768#issuecomment-2182929149.

nathannaveen avatar Jun 21 '24 15:06 nathannaveen