fix(sc4): surface OSV.dev fallback warnings and add configurable timeout#120
Open
tcconnally wants to merge 1 commit into
Open
fix(sc4): surface OSV.dev fallback warnings and add configurable timeout#120tcconnally wants to merge 1 commit into
tcconnally wants to merge 1 commit into
Conversation
Three changes to improve SC4 (Known Vulnerable Dependencies) reliability: 1. Configurable timeout: Read SKILLSPECTOR_OSV_TIMEOUT env var (default 30s, was hardcoded 10s) so users in high-latency environments can increase it. 2. Increased default timeouts: Raised query timeout from 10s to 30s and is_available() check from 5s to 15s to reduce silent fallback rate. 3. Visible fallback warning: When OSV.dev is unreachable and static fallback finds nothing, emit a LOW-severity SC4 finding alerting users that results may be incomplete. Previously the fallback was only visible in --verbose logs. 4. Distinguish clean packages from failed lookups: Added INFO log when OSV.dev returns no vulnerabilities for a package (was silently cached). Added was_osv_reachable() helper so callers can detect API failures vs clean results. Fixes NVIDIA#102 Signed-off-by: Perseus Computing <51974392+tcconnally@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #102: SC4 (Known Vulnerable Dependencies) silently falls back to a small static list when api.osv.dev is unreachable.
Changes
Testing
All 621 unit tests pass.