-
Notifications
You must be signed in to change notification settings - Fork 179
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[feature] Only use Scorecard API so that we can use deps.dev/api/v3alpha #1947
Comments
Based on discussion in the June 10 meeting, there is still a use case that could use the scorecard certifier functionality. Proposal is not to delete but move this to another repository under guacsec as a "contrib". @nathannaveen would you be interested in exploring this as a separate repo? |
@lumjjb thank you for the update from the meetings discussion! I would be interested in working on this. |
I recently realized that we directly utilize Line 27 in dad65eb
I didn't think of the direct Additionally, we will probably not be able to use the |
Context:
We are addressing the need to upgrade from
deps.dev/api/v3
todeps.dev/api/v3alpha
to implement batch querying, which will significantly speed up our runtime as highlighted in #1768.Problem:
But, there is a single issue in moving up to
deps.dev/api/v3alpha
. GUAC currently uses OpenSSF Scorecard, which internally calls osv-scanner. Then, osv-scanner relies ondeps.dev/api/v3
, which calls the deps dev API with the commandresolve.NewAPIClient
https://github.com/google/deps.dev/blob/b352d7eeeae603a42092e50ad6a7aea2c594431b/util/resolve/api.go#L64.The issue is that the command
resolve.NewAPIClient
works with the stable versiondeps.dev/api/v3
but notdeps.dev/api/v3alpha
.Proposed Solution:
To leverage deps.dev/api/v3alpha and still use the Scorecard functionality we can:
guac/pkg/certifier/scorecard/scorecardRunner.go
Line 82 in 64e4b0e
The text was updated successfully, but these errors were encountered: