search

guacsec / guac

GUAC aggregates software security metadata into a high fidelity graph database.
https://guac.sh
Apache License 2.0
1.26k stars 170 forks source link

[feature] Only use Scorecard API so that we can use deps.dev/api/v3alpha #1947

Open nathannaveen opened 4 months ago

nathannaveen commented 4 months ago

Context: We are addressing the need to upgrade from deps.dev/api/v3 to deps.dev/api/v3alpha to implement batch querying, which will significantly speed up our runtime as highlighted in https://github.com/guacsec/guac/issues/1768.

Problem: But, there is a single issue in moving up to deps.dev/api/v3alpha. GUAC currently uses OpenSSF Scorecard, which internally calls osv-scanner. Then, osv-scanner relies on deps.dev/api/v3, which calls the deps dev API with the command resolve.NewAPIClient https://github.com/google/deps.dev/blob/b352d7eeeae603a42092e50ad6a7aea2c594431b/util/resolve/api.go#L64.

The issue is that the command resolve.NewAPIClient works with the stable version deps.dev/api/v3 but not deps.dev/api/v3alpha.

Proposed Solution: To leverage deps.dev/api/v3alpha and still use the Scorecard functionality we can:

  1. Utilize Scorecard API directly: Instead of using the Scorecard command, we will call the Scorecard API directly. This approach will bypass using osv-scanner as a dependency and allow us to implement the batch querying feature of deps.dev/api/v3alpha. This is partially being done in https://github.com/guacsec/guac/pull/1938. We would need to additionally remove the actual scorecard call. https://github.com/guacsec/guac/blob/64e4b0ee5338816b6757c901d11638653e48b5fb/pkg/certifier/scorecard/scorecardRunner.go#L82
nathannaveen commented 4 months ago

đź‘€ @pxp928 @jeffmendoza @lumjjb @mihaimaruseac

lumjjb commented 3 months ago

Based on discussion in the June 10 meeting, there is still a use case that could use the scorecard certifier functionality. Proposal is not to delete but move this to another repository under guacsec as a "contrib". @nathannaveen would you be interested in exploring this as a separate repo?

nathannaveen commented 3 months ago

@lumjjb thank you for the update from the meetings discussion! I would be interested in working on this.

nathannaveen commented 3 months ago

I recently realized that we directly utilize osv-scanner. https://github.com/guacsec/guac/blob/dad65eb57ce9ffe9db2d49ba3cda097a48191eda/pkg/certifier/osv/osv.go#L27

I didn't think of the direct osv-scanner dependency while creating this issue, so I think we should take a minute to rethink this before moving the scorecard certifier to another repo. Moving the scorecard certifier to another repo won't really solve our issue since we will still have the osv-scanner dependency (which intern gives us the deps.dev/api/v3 dependency).

Additionally, we will probably not be able to use the deps.dev/api/v3alpha API until it becomes stable because of https://github.com/guacsec/guac/issues/1768#issuecomment-2182929149.