search

stacklok / minder

Software Supply Chain Security Platform
https://minder-docs.stacklok.dev/
Apache License 2.0
230 stars 34 forks source link

When the trusty evaluator can't fetch any scores, it still says that the PR contains no packages with low scores #2128

Open jhrozek opened 6 months ago

jhrozek commented 6 months ago

Describe the issue

We have a branch in the trusty evaluator that checks if we managed to fetch a score for a package at all:

    if resp.Summary.Score == 0 {
            logger.Info().
                Str("dependency", dep.Dep.Name).
                Msgf("the dependency has no score, skipping")
            continue
        }

but if we can't fetch any packages we just say that no packages with low scores were found. We should at the very least change the summary in case no scores can be fetched or even provide a separate table with dependencies that couldn't be fetched so that the maintainers can check those themselves.

To Reproduce

unsure, I managed to hit this in combination with a trusty bug

What version are you using?

v0.0.24+ref.aa6a2170

evankanderson commented 2 weeks ago

@rdimitrov might have fixed this without noticing that we had an open issue.