🐛 Give inconclusive Vulnerabilities score when osv-scanner panics (#2896)

* Recover from osv-scanner panics. This allows us to give an inconclusive score instead of crashing. Signed-off-by: Spencer Schrock <sschrock@google.com> * Bump osv-scanner to include performance increase. https://github.com/google/osv-scanner/pull/346 Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-09-11 08:55:27 +03:00 · 2023-04-24 10:26:20 -07:00 · 2023-04-24 10:26:20 -07:00 · a4e72a8696
commit a4e72a8696
parent d31e28afae
3 changed files with 11 additions and 4 deletions
--- a/clients/osv.go
+++ b/clients/osv.go
@ -20,6 +20,8 @@ import (
 	"fmt"

 	"github.com/google/osv-scanner/pkg/osvscanner"
+
+	sce "github.com/ossf/scorecard/v4/errors"
 )

 var _ VulnerabilitiesClient = osvClient{}
@ -31,7 +33,12 @@ func (v osvClient) ListUnfixedVulnerabilities(
 	ctx context.Context,
 	commit,
 	localPath string,
-) (VulnerabilitiesResponse, error) {
+) (_ VulnerabilitiesResponse, err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			err = sce.CreateInternal(sce.ErrScorecardInternal, fmt.Sprintf("osv-scanner panic: %v", r))
+		}
+	}()
 	directoryPaths := []string{}
 	if localPath != "" {
 		directoryPaths = append(directoryPaths, localPath)
--- a/go.mod
+++ b/go.mod
@ -47,7 +47,7 @@ require (
 	github.com/Masterminds/semver/v3 v3.2.1
 	github.com/caarlos0/env/v6 v6.10.0
 	github.com/gobwas/glob v0.2.3
-	github.com/google/osv-scanner v1.3.1
+	github.com/google/osv-scanner v1.3.2-0.20230418234519-2c101c1b0e63
 	github.com/mcuadros/go-jsonschema-generator v0.0.0-20200330054847-ba7a369d4303
 	github.com/onsi/ginkgo/v2 v2.9.2
 	github.com/otiai10/copy v1.11.0
--- a/go.sum
+++ b/go.sum
@ -1202,8 +1202,8 @@ github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIG
 github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
 github.com/google/martian/v3 v3.3.2 h1:IqNFLAmvJOgVlpdEBiQbDc2EwKW77amAycfTuWKdfvw=
 github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
-github.com/google/osv-scanner v1.3.1 h1:wNbKwX/H1SbpecBV1zHbQJ/VreRpOd+w5ATiaQpOjyU=
-github.com/google/osv-scanner v1.3.1/go.mod h1:S073+vv2wokPkcuW47QOR5oHdDfIUYqbw2ZTYyOsMQw=
+github.com/google/osv-scanner v1.3.2-0.20230418234519-2c101c1b0e63 h1:PvWBNgdGvP2rOb2HMK/gexbyeDuDAIr6G/ygvoqD810=
+github.com/google/osv-scanner v1.3.2-0.20230418234519-2c101c1b0e63/go.mod h1:S073+vv2wokPkcuW47QOR5oHdDfIUYqbw2ZTYyOsMQw=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=