🌱 Set OSV User-Agent for scorecard cli and cron workers.

[kash2104]

What kind of change does this PR introduce?

This PR introduces improvement to OSV API request by configuring versioned User-Agent for Scorecard.

• PR title follows the guidelines defined in our pull request documentation

What is the current behavior?

Currently API requests to osv.dev are made without specifying a unique user-agent.

What is the new behavior (if this is a feature change)?**

Now a distinct, versioned user agent is set for the OSV API request:

• scorecard/{version} for CLI

• scorecard-cron/{version} for cron workers

• Uses GetId() and GetAliases() in clients/osv.go as per the latest updates in the osv scanner package.

• Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes #4029

Special notes for your reviewer

osv-scanner/1.9.2 has been installed.

Does this PR introduce a user-facing change?

No

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

[github-actions]

This pull request has been marked stale because it has been open for 10 days with no activity

[spencerschrock]

You can track the upstream issue here at google/osv-scanner#2420

We'll need to wait for a new osv-scanner release before we can set it.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.70%. Comparing base (353ed60) to head (ee6b8e8).
⚠️ Report is 303 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4883      +/-   ##
==========================================
+ Coverage   66.80%   69.70%   +2.90%     
==========================================
  Files         230      251      +21     
  Lines       16602    15652     -950     
==========================================
- Hits        11091    10911     -180     
+ Misses       4808     3867     -941     
- Partials      703      874     +171     

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[another-rex]

@Ly-Joey Can you take a quick look to confirm this is correct?

[Ly-Joey]

ExperimentalScannerActions.RequestUserAgent is the right variable to set. But it seems actions isn't being passed into osvscanner.DoScan() or anything equivalent.
I'm not very familiar with the project but I think the user agent values would need to be propagated to clients/osv.go (through VulnerabilitiesClient) where the osvscanner package is actually used to do the scanning.

[spencerschrock]

I'm not very familiar with the project but I think the user agent values would need to be propagated to clients/osv.go (through VulnerabilitiesClient) where the osvscanner package is actually used to do the scanning.

+1 to this. The current strategy was based on the old package global. We might need a new flag in our osv-client representing the source, that way when we initialize the client we can pass in a string to use for the user agent.

maybe something like this? And then tweaking DefaultVulnerabilitiesClient to use NewOSVClient for backwards compatibility. (and we can get rid of ExperimentalLocalOSVClient now)

type OSVConfig struct {
	ExperimentalLocal bool
	UserAgent string
}

func NewOSVClient(config *OSVConfig) VulnerabilitiesClient {
	if config == nil { // some defaults }
	// store as needed
}

[kash2104]

Will look into it.