spencerschrock
commented
2 months ago I think the error is specifically in the --pypi my-internal-package part. This code looks for the project_urls map in the API response from PyPI:
example: https://pypi.org/pypi/model-signing/json, or in your case https://pypi.org/pypi/<my-internal-package>/json
"project_urls": {
"Homepage": "https://github.com/sigstore/model-transparency",
"Issues": "https://github.com/sigstore/model-transparency/issues",
"Source": "https://github.com/sigstore/model-transparency"
},If this is an internal package, is it even published to PyPI? As an alternative, have you tried invoking scorecard as follows?
['./bin/scorecard.bin', '--format', 'json', '--repo', 'https://git.foo.bar.com/repo-name']
Describe the bug A clear and concise description of what the bug is.
My company hosts their own gitlab instance. To ping the API we use - https://git.foo.bar.com/api/v4 If I want to navigate to a repo - https://git.foo.bar.com/repo-name
In order to scan an INTERNAL package (to our self hosted GitLab instance) I have upgraded our binary to version 5.0.0 and pass
GL_HOST = "git.foo.bar.com/"I have also triedGL_HOST = "https://git.foo.bar.com/api/v4"and alsoGL_HOST = "git.foo.bar.com". Each time, when I run an internal package I get the following error.Response: CompletedProcess(args=['./bin/scorecard.bin', '--format', 'json', '--pypi', 'my-internal-package'], returncode=2, stdout=b'', stderr=b'panic: assignment to entry in nil map\n\ngoroutine 1 [running]:\ngithub.com/ossf/scorecard/v5/cmd.findGitRepositoryInPYPIResponse({0x7ffe4088a10d, 0x8}, {0x7f3647592080, 0xc00058a180})\n\tgithub.com/ossf/scorecard/v5@v5.0.0/cmd/package_managers.go:156 +0xe5\ngithub.com/ossf/scorecard/v5/cmd.fetchGitRepositoryFromPYPI({0x7ffe4088a10d, 0x8}, {0x19f7d68?, 0x260b560?})\n\tgithub.com/ossf/scorecard/v5@v5.0.0/cmd/package_managers.go:190 +0x17f\ngithub.com/ossf/scorecard/v5/cmd.fetchGitRepositoryFromPackageManagers({0x0?, 0xc000468c80?}, {0x7ffe4088a10d?, 0x74749b?}, {0x0?, 0x752c2c?}, {0x0?, 0x411abb?}, {0x19f7d68, 0x260b560})\n\tgithub.com/ossf/scorecard/v5@v5.0.0/cmd/package_managers.go:85 +0xfc\ngithub.com/ossf/scorecard/v5/cmd.rootCmd(0xc0002697a0)\n\tgithub.com/ossf/scorecard/v5@v5.0.0/cmd/root.go:85 +0x98\ngithub.com/ossf/scorecard/v5/cmd.New.func2(0xc0001c0008?, {0x17c18e8?, 0x4?, 0x17c1870?})\n\tgithub.com/ossf/scorecard/v5@v5.0.0/cmd/root.go:66 +0x17\ngithub.com/spf13/cobra.(*Command).execute(0xc0001c0008, {0xc0000a2060, 0x4, 0x4})\n\tgithub.com/spf13/cobra@v1.8.1/command.go:985 +0xaca\ngithub.com/spf13/cobra.(*Command).ExecuteC(0xc0001c0008)\n\tgithub.com/spf13/cobra@v1.8.1/command.go:1117 +0x3ff\ngithub.com/spf13/cobra.(*Command).Execute(0xc0002697a0?)\n\tgithub.com/spf13/cobra@v1.8.1/command.go:1041 +0x13\nmain.main()\n\tgithub.com/ossf/scorecard/v5@v5.0.0/main.go:27 +0x1d\n')This is the command that is being run
['./bin/scorecard.bin', '--format', 'json', '--pypi', 'my-internal-package']where it is trying to install my package, and then perform the scan from there.I have logged
GL_HOSTwithin my lambda and it is being set the way I have posted above, with the different examples.If I scan an EXTERNAL package, one residing in github, it works correctly and I get the resulting scores etc. So I know the binary CAN run correctly with my current setup.
I am finding this error difficult to debug with as it doesn't seem immediately like it's pointing to a bad GL_HOST var, nor it is it pointing to any broader process as far as I can tell. I also know that the token is correct as we use it for most of our team's processes. I also would have expected an auth error if it wasn't using a token or if the token wasn't working for some reason.
I am running Python 3.9
Has this error been seen before? I would love help figuring out next steps.
Expected behavior A clear and concise description of what you expected to happen.
I expect to pass a correct value to GL_HOST (if thats the issue) and be able to run scans on internal packages on scorecard version 5.0.0.
Additional context Add any other context about the problem here.