minder icon indicating copy to clipboard operation
minder copied to clipboard
verified publisher icon stacklok

When trusty doesn't report a score, minder replies that the package is malicious

Open jhrozek opened this issue 1 year ago • 1 comments

We ran into an issue where minder issued a request for a package Trusty score, received a 200 reponse, that was probably empty, either way the reply appears to not have contained a score. Probably because of this code in the trusty evaluator:

	packageScore := float64(0)
	if resp.Summary.Score != nil {
		packageScore = *resp.Summary.Score
	}

we defaulted to packageScore 0 and flagged the package as malicious. Instead, we should have reported that we didn't find any score. We could also render a URL to the package's Trusty page instead so at least the user can check it that way.

jhrozek avatar Aug 23 '24 07:08 jhrozek

@aponcedeleonch analyzed the problem further and found out that this happened because the package was not ingested at the time minder did query for it. We should then tailor the reply so that it renders a URL the user can navigate to manually.

jhrozek avatar Aug 23 '24 10:08 jhrozek

We're re-writing all of this (both Trusty and the rule evaluator), so this is probably obsolete.

evankanderson avatar Dec 17 '24 14:12 evankanderson