Skip to content

Replacement for git:// URLs does not seem to be working for submodules #8918

Open
@sschuberth

Description

@sschuberth

Despite 3d27d61, the provenance resolver that runs as part of the scanner does not seem to be able to clone Git repositories that contain submodules which still refer via git://´ to GitHub repositories (GitHub has deprecated the git://` protocol):

Could not resolve nested provenance for package 'PyPI::scikit-image:0.19.3': IOException: Running 'git submodule update --recursive' in '/tmp/ort-DefaultWorkingTreeCache10066802054424201727' failed with exit code 1:
Cloning into '/tmp/ort-DefaultWorkingTreeCache10066802054424201727/doc/tools/gitwash'...
fatal: unable to connect to github.com:
github.com[0: 140.82.121.3]: errno=Connection timed out

fatal: clone of 'git://github.com/matthew-brett/gitwash.git' into submodule path '/tmp/ort-DefaultWorkingTreeCache10066802054424201727/doc/tools/gitwash' failed
Failed to clone 'doc/tools/gitwash'. Retry scheduled
Cloning into '/tmp/ort-DefaultWorkingTreeCache10066802054424201727/doc/tools/gitwash'...
fatal: unable to connect to github.com:
github.com[0: 140.82.121.4]: errno=Connection timed out

fatal: clone of 'git://github.com/matthew-brett/gitwash.git' into submodule path '/tmp/ort-DefaultWorkingTreeCache10066802054424201727/doc/tools/gitwash' failed
Failed to clone 'doc/tools/gitwash' a second time, aborting

YAML entry:

  - id: "PyPI::scikit-image:0.19.3"
    package_provenance:
      vcs_info:
        type: "Git"
        url: "https://github.com/scikit-image/scikit-image.git"
        revision: ""
        path: ""
      resolved_revision: "c1af2bf80d2c8845bbbf06222f87e8b58a8e5c1e"
    nested_provenance_resolution_issue:
      timestamp: "2024-07-18T12:44:39.719752127Z"
      source: "scanner"
      message: "Could not resolve nested provenance for package 'PyPI::scikit-image:0.19.3':\
        \ IOException: Running 'git submodule update --recursive' in '/tmp/ort-DefaultWorkingTreeCache9932109886528191008'\
        \ failed with exit code 1:\nCloning into '/tmp/ort-DefaultWorkingTreeCache9932109886528191008/doc/tools/gitwash'...\n\
        fatal: unable to connect to github.com:\ngithub.com[0: 140.82.121.3]: errno=Connection\
        \ timed out\n\nfatal: clone of 'git://github.com/matthew-brett/gitwash.git'\
        \ into submodule path '/tmp/ort-DefaultWorkingTreeCache9932109886528191008/doc/tools/gitwash'\
        \ failed\nFailed to clone 'doc/tools/gitwash'. Retry scheduled\nCloning into\
        \ '/tmp/ort-DefaultWorkingTreeCache9932109886528191008/doc/tools/gitwash'...\n\
        fatal: unable to connect to github.com:\ngithub.com[0: 140.82.121.3]: errno=Connection\
        \ timed out\n\nfatal: clone of 'git://github.com/matthew-brett/gitwash.git'\
        \ into submodule path '/tmp/ort-DefaultWorkingTreeCache9932109886528191008/doc/tools/gitwash'\
        \ failed\nFailed to clone 'doc/tools/gitwash' a second time, aborting\n"
      severity: "ERROR"

However, the more severe issue seems to be that as a result of the above, the PyPI::scikit-image:0.19.3 is not scanned at all, neither as a repository without submodules, nor the source artifact (which was found). At least there is no corresponding provenance entry in the scan_results section.

Metadata

Metadata

Assignees

No one assigned

    Labels

    scannerAbout the scanner tool

    Type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions