Skip to content

chore: scheduled pip-compile#171

Merged
JAVGan merged 1 commit into
mainfrom
deps/pip-compile
Jun 22, 2026
Merged

chore: scheduled pip-compile#171
JAVGan merged 1 commit into
mainfrom
deps/pip-compile

Conversation

@cd-red-bot

@cd-red-bot cd-red-bot commented Jun 21, 2026

Copy link
Copy Markdown
Collaborator

Update dependencies

This is a scheduled update of Python dependencies within this repo managed by pip-compile.
This change will be submitted automatically within a few days if all checks have succeeded.

Summary by Sourcery

Enhancements:

  • Bump certifi dependency version in requirements to the latest scheduled pip-compile output

@sourcery-ai

sourcery-ai Bot commented Jun 21, 2026

Copy link
Copy Markdown
Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Scheduled dependency refresh via pip-compile updating certifi; no logic or test code changes.

File-Level Changes

Change Details Files
Refresh pinned dependency version for certifi using pip-compile output.
  • Bump certifi from 2026.5.20 to 2026.6.17 in the main requirements lock file.
  • Update associated SHA256 hashes to match the new certifi wheel/source artifacts.
  • Leave other dependencies and test requirements unchanged in this run.
requirements.txt
requirements-test.txt

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've reviewed your changes and they look great!


Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@JAVGan

JAVGan commented Jun 22, 2026

Copy link
Copy Markdown
Collaborator

@lslebodn @ashwgit according to Claude:

❯ analyze what's the issue with the OWASP execution during the GitHub actions for starmap-client, mainly for PR https://github.com/release-engineering/starmap-client/pull/171                                                                                                             

  Thought for 3s (ctrl+o to expand)

● I'll investigate the PR and its CI failures to understand the OWASP issue.

● Bash(gh pr view 171 --repo release-engineering/starmap-client --json title,body,state,statusCheckRollup,headRefName,mergeStateStatus 2>&1)
  ⎿  {
       "body": "## Update dependencies\nThis is a scheduled update of Python dependencies within this repo managed by pip-compile.\nThis change will be submitted automatically within a few days if all checks have succeeded.\n\n## Summary by Sourcery\n\nEnhancements:\n- Bump cer
     tifi dependency version in requirements to the latest scheduled pip-compile output",
     … +226 lines (ctrl+o to expand)

  Listed 1 directory (ctrl+o to expand)

● I can see the "security" check is the one failing. Let me look at the security logs you downloaded and also fetch the failed job details.

  Read 1 file, listed 1 directory (ctrl+o to expand)

● Here's the analysis of the OWASP Dependency-Check failure in PR #171.

  Root Cause: NVD API returning HTTP 503 (Service Unavailable)

  The security job has three stages, and the first two pass fine:

  1. Bandit (static analysis) — passed, no issues found
  2. pip-audit (PyPI + OSV vulnerability sources) — passed, no known vulnerabilities
  3. OWASP Dependency-Check — failed (exit code 13)

  The OWASP Dependency-Check tool fails during its NVD database update phase. The key log lines are:

  - Line 721: NVD API has 342,043 records in this update — it starts downloading vulnerability data
  - Lines 722–737: NVD API request failures are occurring; retrying request for the 15th time through the 31st retry — the NVD API keeps returning errors
  - Line 749: The root cause exception: NvdApiException: NVD Returned Status Code: 503
  - Lines 758–761: Fatal errors cascade:
    - Unable to continue dependency-check analysis
    - Error updating the NVD Data
    - No documents exist

  What this means

  This is not a code or dependency issue with the PR. The NVD (National Vulnerability Database) API run by NIST was returning 503 errors — meaning the service was temporarily unavailable or overloaded. The OWASP Dependency-Check tool retried 31 times and then gave up, causing exit
  code 13 (fatal update error).

  The NVD API has been known for intermittent reliability issues, especially since NIST overhauled it in 2024. Rate limiting and outages are common.

  What you can do

  1. Re-run the job — this is likely a transient NVD outage, and a retry may succeed.
  2. Add --nvdValidForHours N — tell Dependency-Check to accept cached NVD data up to N hours old, so a download failure doesn't block CI when fresh-enough data already exists in the cache (the cache hit on line 572 shows old data was restored).
  3. Make the OWASP step non-blocking — since pip-audit already covers Python dependencies against both PyPI and OSV, you could make the OWASP step continue-on-error: true in the workflow, or catch its exit code and only fail on real vulnerability findings (not update errors).
  4. Check NVD API key quotas — the workflow uses an nvdApiKey, but if the key is shared or hitting rate limits, you'll see 503s. Verify the key is valid and not rate-limited.

Looks like it's failing from some time now.. Should we discuss to switch the OWASP check for something else? Or simply drop it?

@JAVGan JAVGan merged commit 08c94d7 into main Jun 22, 2026
20 of 22 checks passed
@JAVGan JAVGan deleted the deps/pip-compile branch June 22, 2026 17:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants