Closed ndonewar closed 3 years ago
csgillespie
commented
3 years ago Thanks for the report. It's an easy fix, but it would be nice to give feedback to the user. So a few questions:
ndonewar
commented
3 years ago The following is a bit oversimplified, but hopefully addresses your questions: OSS Index uses two separate sources of information for vulnerability data and package descriptions. The internal sources that provide vulnerability data are constantly updated. The separate source of descriptions (which is only used by OSS Index) is out of date with regard to CRAN packages. Rest assured though, even packages without descriptions are checked for vulnerabilities.
csgillespie
commented
3 years ago Can you provide a little more clarification?
Rest assured though, even packages without descriptions are checked for vulnerabilities.
Some packages are not (and never will be) on the OSS index. For example, my-very-secret-internal-pkg. These packages are returned in the same way all other packages are
oysteR::audit("my-very-secret-internal-pkg", version = "2", type = "CRAN")So indicating that this package has been checked is somewhat misleading
ndonewar
commented
3 years ago Sure! OSS Index checks all package names submitted via the API for any known vulnerabilities. As expected, package names that aren't public would return no vulnerabilities. A user could submit a made-up package name, and OSS Index will still make sure there are no known vulnerabilities for that package name.
For example, clicking this link will verify that this package does not have any known vulnerabilities: https://ossindex.sonatype.org/component/pkg:cran/my-very-secret-internal-pkg
So overall, it's correct for oysteR to say n packages were scanned since all packages submitted were actually scanned.
For oysteR to say n packages were found in the Sonatype database though is confusing to users. (I created this bug report specifically because of user feedback to OSS Index.)
To be clear, there is no connection or correlation between the Sonatype vulnerability data and the (very specific to OSS Index) database of package descriptions.
From a technical standpoint, the OSS Index API doesn't determine the existence of packages (it doesn't have to!). It simply takes a list of package names and verifies they don't have any known vulnerabilities.
I hope that helps clear up the confusion!
csgillespie
commented
3 years ago Very helpful - I'll submit a fix ASAP.
Thanks
csgillespie
commented
3 years ago I'll try and make another change or two before updating CRAN - they get a bit annoyed at lots of small tiny changes
yuvashreek
commented
2 years ago Is this issue resolved? I don't see a change in output message n packages were scanned & m packages were found in the Sonatype database.
csgillespie
commented
1 year ago Change was made - but never submitted to CRAN :(
Doing a spring clean. Hopefully submit soon
Describe the bug The output of oysteR includes the following line:
n packages were found in the Sonatype database, where n is some numberThe issue is that the OSS Index API does not give information about whether a package is known or not, so this line is misleading.
To Reproduce Steps to reproduce the behavior:
Expected behavior I would expect that the line does not show because it's not possible to get the number of known packages.
Additional context I'm not an R developer, but looking through the source, I believe the issue is with these lines in print.R:
oysteR appears to be looking at the descriptions of the packages, but a missing description is not an indication that a package isn't known.