Open nathannaveen opened 4 months ago
đź‘€ @pxp928 @jeffmendoza @lumjjb @mihaimaruseac
Based on discussion in the June 10 meeting, there is still a use case that could use the scorecard certifier functionality. Proposal is not to delete but move this to another repository under guacsec as a "contrib". @nathannaveen would you be interested in exploring this as a separate repo?
@lumjjb thank you for the update from the meetings discussion! I would be interested in working on this.
I recently realized that we directly utilize osv-scanner
. https://github.com/guacsec/guac/blob/dad65eb57ce9ffe9db2d49ba3cda097a48191eda/pkg/certifier/osv/osv.go#L27
I didn't think of the direct osv-scanner
dependency while creating this issue, so I think we should take a minute to rethink this before moving the scorecard certifier to another repo. Moving the scorecard certifier to another repo won't really solve our issue since we will still have the osv-scanner
dependency (which intern gives us the deps.dev/api/v3
dependency).
Additionally, we will probably not be able to use the deps.dev/api/v3alpha
API until it becomes stable because of https://github.com/guacsec/guac/issues/1768#issuecomment-2182929149.
Context: We are addressing the need to upgrade from
deps.dev/api/v3
todeps.dev/api/v3alpha
to implement batch querying, which will significantly speed up our runtime as highlighted in https://github.com/guacsec/guac/issues/1768.Problem: But, there is a single issue in moving up to
deps.dev/api/v3alpha
. GUAC currently uses OpenSSF Scorecard, which internally calls osv-scanner. Then, osv-scanner relies ondeps.dev/api/v3
, which calls the deps dev API with the commandresolve.NewAPIClient
https://github.com/google/deps.dev/blob/b352d7eeeae603a42092e50ad6a7aea2c594431b/util/resolve/api.go#L64.The issue is that the command
resolve.NewAPIClient
works with the stable versiondeps.dev/api/v3
but notdeps.dev/api/v3alpha
.Proposed Solution: To leverage deps.dev/api/v3alpha and still use the Scorecard functionality we can: