Internal Go error when scanning a package internal to my own gitlab instance #4303
Labels
kind/bug
Something isn't working
Comments
andrew-lovato
changed the title
|
I think the error is specifically in the example: https://pypi.org/pypi/model-signing/json, or in your case If this is an internal package, is it even published to PyPI? As an alternative, have you tried invoking scorecard as follows? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
A clear and concise description of what the bug is.
My company hosts their own gitlab instance. To ping the API we use - https://git.foo.bar.com/api/v4
If I want to navigate to a repo - https://git.foo.bar.com/repo-name
In order to scan an INTERNAL package (to our self hosted GitLab instance) I have upgraded our binary to version 5.0.0 and pass
GL_HOST = "git.foo.bar.com/"I have also triedGL_HOST = "https://git.foo.bar.com/api/v4"and alsoGL_HOST = "git.foo.bar.com". Each time, when I run an internal package I get the following error.Response: CompletedProcess(args=['./bin/scorecard.bin', '--format', 'json', '--pypi', 'my-internal-package'], returncode=2, stdout=b'', stderr=b'panic: assignment to entry in nil map\n\ngoroutine 1 [running]:\ngithub.com/ossf/scorecard/v5/cmd.findGitRepositoryInPYPIResponse({0x7ffe4088a10d, 0x8}, {0x7f3647592080, 0xc00058a180})\n\tgithub.com/ossf/scorecard/v5@v5.0.0/cmd/package_managers.go:156 +0xe5\ngithub.com/ossf/scorecard/v5/cmd.fetchGitRepositoryFromPYPI({0x7ffe4088a10d, 0x8}, {0x19f7d68?, 0x260b560?})\n\tgithub.com/ossf/scorecard/v5@v5.0.0/cmd/package_managers.go:190 +0x17f\ngithub.com/ossf/scorecard/v5/cmd.fetchGitRepositoryFromPackageManagers({0x0?, 0xc000468c80?}, {0x7ffe4088a10d?, 0x74749b?}, {0x0?, 0x752c2c?}, {0x0?, 0x411abb?}, {0x19f7d68, 0x260b560})\n\tgithub.com/ossf/scorecard/v5@v5.0.0/cmd/package_managers.go:85 +0xfc\ngithub.com/ossf/scorecard/v5/cmd.rootCmd(0xc0002697a0)\n\tgithub.com/ossf/scorecard/v5@v5.0.0/cmd/root.go:85 +0x98\ngithub.com/ossf/scorecard/v5/cmd.New.func2(0xc0001c0008?, {0x17c18e8?, 0x4?, 0x17c1870?})\n\tgithub.com/ossf/scorecard/v5@v5.0.0/cmd/root.go:66 +0x17\ngithub.com/spf13/cobra.(*Command).execute(0xc0001c0008, {0xc0000a2060, 0x4, 0x4})\n\tgithub.com/spf13/cobra@v1.8.1/command.go:985 +0xaca\ngithub.com/spf13/cobra.(*Command).ExecuteC(0xc0001c0008)\n\tgithub.com/spf13/cobra@v1.8.1/command.go:1117 +0x3ff\ngithub.com/spf13/cobra.(*Command).Execute(0xc0002697a0?)\n\tgithub.com/spf13/cobra@v1.8.1/command.go:1041 +0x13\nmain.main()\n\tgithub.com/ossf/scorecard/v5@v5.0.0/main.go:27 +0x1d\n')This is the command that is being run
['./bin/scorecard.bin', '--format', 'json', '--pypi', 'my-internal-package']where it is trying to install my package, and then perform the scan from there.I have logged
GL_HOSTwithin my lambda and it is being set the way I have posted above, with the different examples.If I scan an EXTERNAL package, one residing in github, it works correctly and I get the resulting scores etc. So I know the binary CAN run correctly with my current setup.
I am finding this error difficult to debug with as it doesn't seem immediately like it's pointing to a bad GL_HOST var, nor it is it pointing to any broader process as far as I can tell. I also know that the token is correct as we use it for most of our team's processes. I also would have expected an auth error if it wasn't using a token or if the token wasn't working for some reason.
I am running Python 3.9
Has this error been seen before? I would love help figuring out next steps.
Expected behavior
A clear and concise description of what you expected to happen.
I expect to pass a correct value to GL_HOST (if thats the issue) and be able to run scans on internal packages on scorecard version 5.0.0.
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: