Closed G-Rath closed 1 week ago
Attention: Patch coverage is 75.00000%
with 3 lines
in your changes missing coverage. Please review.
Please upload report for BASE (
main@46aee59
). Learn more about missing BASE report.
Files | Patch % | Lines |
---|---|---|
internal/utility/vulns/vulnerability.go | 75.00% | 2 Missing and 1 partial :warning: |
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
Turns out we're not accurately sorting the table output at least for local - I'll tackle that somewhere...
I cannot for the life of me replicate that sorting difference locally 😕
I cannot for the life of me replicate that sorting difference locally 😕
I tried running update_snaps
for this branch locally, and it did change the order, but it's still a little different from the Ubuntu results.
Yeah, it seems that every couple of hours the order changes - I'm not sure if its coinciding with something on the osv.dev side like work being landed or if it's just some clock-shift based randomness, but it seems to be "hours" based rather than "seconds" based...
Yeah, it seems that every couple of hours the order changes - I'm not sure if its coinciding with something on the osv.dev side like work being landed or if it's just some clock-shift based randomness, but it seems to be "hours" based rather than "seconds" based...
Yeah I see what you mean. I just tested again and the result shows different.
I had a look with @michaelkedar on this issue. We noticed that the result changes after the exporter
cron job publishes a new all.zip
. We think this is because the exporter
runs in parallel (https://github.com/google/osv.dev/pull/2167), which may cause the order to be slightly different each time. To solve this, I guess we need to either sort the all.zip
on the OSV.dev side or order all vulnerabilities alphabetically on the OSV-Scanner side. What do you think @another-rex
oohh good find - fwiw locally I've been playing around with sorting the table rows within packages by their url though that got blocked by it being an interface{}
; I've not gotten back to it yet so might be an easy fix
Hmm... is this behaviour new? All.zip is built concurrently, but that has always been the case if I understand correctly.
Hmm... is this behaviour new? All.zip is built concurrently, but that has always been the case if I understand correctly.
I don't think this is a new behaviour. Even though all.zip is built concurrently, the files are usually modified in alphabetical order, just a few are out of place. That's probably why most of our tests are passing. But this PR has a bunch of vulnerabilities with adjacency IDs (like 9840, 9841, 9842, and 9843), which is probably why it's failing. But I am not 100% sure if this is the issue as the modified order doesn't really align with the scanner output order.
I think this just needs a flag change in the test to match the new download-offline-db flag and should be good to merge.
This changes how we compare ecosystems so that the suffix is only considered when it is present for both ecosystems being compared, since we can't reliably extract that.
Resolves #769