BUG: Scorecard's npm search doesn't match exact #2441
Labels
kind/bug
Something isn't working
Comments
aklevans
added a commit
to aklevans/scorecard
that referenced
this issue
May 21, 2024
Signed-off-by: aklevans <[email protected]>
1 task
spencerschrock
pushed a commit
that referenced
this issue
Jun 5, 2024
…pm database (#4118) * Update endpoint used when getting repo from npm to solve #3166 Signed-off-by: aklevans <[email protected]> * Update test files to account for endpoint change when getting repo from npm Signed-off-by: aklevans <[email protected]> * Fix linter issues Signed-off-by: aklevans <[email protected]> * Added unit tests for #3166 and #2441 Signed-off-by: aklevans <[email protected]> * fix linter issues and reduce mock json output in package_manager_test to only include necessary data Signed-off-by: aklevans <[email protected]> * fix linter issues in package_managers.go Signed-off-by: aklevans <[email protected]> * convert windows line breaks to linux Signed-off-by: aklevans <[email protected]> * reduce test case size, still has windows line breaks Signed-off-by: aklevans <[email protected]> * Fix unit tests Signed-off-by: aklevans <[email protected]> * attempt linter fix Signed-off-by: aklevans <[email protected]> * Fix linter issues stemming from windows line breaks Signed-off-by: aklevans <[email protected]> * Remove magic number and rename variable to be more accurate Signed-off-by: aklevans <[email protected]> --------- Signed-off-by: aklevans <[email protected]> Signed-off-by: aklevans <[email protected]>
|
Fixed by #4118 |
balteravishay
pushed a commit
to balteravishay/scorecard
that referenced
this issue
Jun 12, 2024
…pm database (ossf#4118) * Update endpoint used when getting repo from npm to solve ossf#3166 Signed-off-by: aklevans <[email protected]> * Update test files to account for endpoint change when getting repo from npm Signed-off-by: aklevans <[email protected]> * Fix linter issues Signed-off-by: aklevans <[email protected]> * Added unit tests for ossf#3166 and ossf#2441 Signed-off-by: aklevans <[email protected]> * fix linter issues and reduce mock json output in package_manager_test to only include necessary data Signed-off-by: aklevans <[email protected]> * fix linter issues in package_managers.go Signed-off-by: aklevans <[email protected]> * convert windows line breaks to linux Signed-off-by: aklevans <[email protected]> * reduce test case size, still has windows line breaks Signed-off-by: aklevans <[email protected]> * Fix unit tests Signed-off-by: aklevans <[email protected]> * attempt linter fix Signed-off-by: aklevans <[email protected]> * Fix linter issues stemming from windows line breaks Signed-off-by: aklevans <[email protected]> * Remove magic number and rename variable to be more accurate Signed-off-by: aklevans <[email protected]> --------- Signed-off-by: aklevans <[email protected]> Signed-off-by: aklevans <[email protected]> Signed-off-by: balteraivshay <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
The Scorecard npm package integration uses the npm registry full text search function, which seems to omit deprecated packages. This means when searching for
left-pad, you get the packagerepeat-string, which causes a later failure:https://registry.npmjs.org/-/v1/search?text=left-pad&size=1
I think the call could be changed to just
registry.npmjs.org/<package name>, but you'd have to find the best repository URL (probably inversions[dist-tags.latest].repository.url). Or, if there's an advantage to doing it the current way, then try that first and then fall back to the direct URL.Reproduction steps
Steps to reproduce the behavior:
Expected behavior
For left-pad, it should attempt to load the GitHub repository URL.
Additional context
N/A
The text was updated successfully, but these errors were encountered: