feat: Use OSV-Scalibr scan function directly #1936
Conversation
|
Annoyingly it seems like osv-scalibr's directory walk is not deterministic on different systems (as it uses the order the filesystem gives when iterating through a directory). I'm not sure how to fix this for our tests, do we just avoid snapshotting any of the walking logs? |
I think those logs are an important part of our snapshots since they're output we definitely want to be showing to the user (compared to some of the other logs we're currently filtering) and they aid in debugging since they tell us clearly what files are being scanned and the number of packages extracted. Is there anyway to make the walking deterministic, even if its controlled via a flag or env variable so that we can opt-in? |
| @@ -15,6 +15,10 @@ type FileOpenedPrinter struct { | |||
| var _ stats.Collector = &FileOpenedPrinter{} | |||
|
|
|||
| func (c FileOpenedPrinter) AfterExtractorRun(_ string, extractorstats *stats.AfterExtractorStats) { | |||
There was a problem hiding this comment.
a possible workaround could be to try buffering the logging, and try to dump it immediately if we error - we could also do the same logging here under a different level like DEBUG so that you could see the actual unbuffered order...
e.g. something like:
// NOT ACTUAL GO CODE
scannedLogs := []string{}
err := scanner.Scan({
StatsAfterExtractorRun(stats) {
slog.Debug(fmt.Sprintf(
"Scanned %s file and found %d %s",
extractorstats.Path,
pkgsFound,
output.Form(pkgsFound, "package", "packages"),
))
scannedLogs = append(scannedLogs, fmt.Sprintf(
"Scanned %s file and found %d %s",
extractorstats.Path,
pkgsFound,
output.Form(pkgsFound, "package", "packages"),
))
}
})
for line := range slices.Sort(scannedLogs) {
slog.Info(line)
}
if err != nil {
slog.Error(err)
}
There was a problem hiding this comment.
I ended up with something similar to the buffering approach, just on the logs instead so we don't have to touch the code functions that much.
| RunningSystem: true, | ||
| } | ||
|
|
||
| if actions.CompareOffline { |
There was a problem hiding this comment.
nit: the else branches here could be the initial values in the struct
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | minor | `v3.28.18` -> `v3.29.0` | --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.29.0`](https://redirect.github.com/github/codeql-action/releases/tag/v3.29.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.28.19...v3.29.0) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 3.29.0 - 11 Jun 2025 - Update default CodeQL bundle version to 2.22.0. [#​2925](https://redirect.github.com/github/codeql-action/pull/2925) - Bump minimum CodeQL bundle version to 2.16.6. [#​2912](https://redirect.github.com/github/codeql-action/pull/2912) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.29.0/CHANGELOG.md) for more information. ### [`v3.28.19`](https://redirect.github.com/github/codeql-action/releases/tag/v3.28.19) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.28.18...v3.28.19) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. ##### 3.28.19 - 03 Jun 2025 - The CodeQL Action no longer includes its own copy of the extractor for the `actions` language, which is currently in public preview. The `actions` extractor has been included in the CodeQL CLI since v2.20.6. If your workflow has enabled the `actions` language *and* you have pinned your `tools:` property to a specific version of the CodeQL CLI earlier than v2.20.6, you will need to update to at least CodeQL v2.20.6 or disable `actions` analysis. - Update default CodeQL bundle version to 2.21.4. [#​2910](https://redirect.github.com/github/codeql-action/pull/2910) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.28.19/CHANGELOG.md) for more information. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC40MC4zIiwidXBkYXRlZEluVmVyIjoiNDAuNDguNSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | golang | final | patch | `1.24.3-alpine3.21` -> `1.24.4-alpine3.21` | | golang | stage | patch | `1.24.3-alpine3.21` -> `1.24.4-alpine3.21` | --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC40MC4zIiwidXBkYXRlZEluVmVyIjoiNDAuNDAuMyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Co-authored-by: Rex P <[email protected]>
Yeah I agree.
I am very hesitant to change the actual code logic for tests, because then we are not really testing for the actual code paths someone running osv-scanner will run into. I ended up with printing a few markers at the start and end of the directory walk (When testing is true), then sorting the lines in-between the markers to check for presence, but not the specific order. PTAL |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1936 +/- ##
==========================================
+ Coverage 65.60% 65.66% +0.06%
==========================================
Files 167 168 +1
Lines 16060 16117 +57
==========================================
+ Hits 10536 10584 +48
- Misses 4859 4866 +7
- Partials 665 667 +2 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
fwiw I agree - I was meaning we do that for the actual scanner logic not just for tests |
Closes #1769
Behaviour changes / notes: