Skip to content

feat: Add opam source (https://github.com/ocaml/security-advisories) to testing #4632

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
another-rex merged 1 commit into from
Jan 23, 2026
Merged

feat: Add opam source (https://github.com/ocaml/security-advisories) to testing #4632

another-rex merged 1 commit into from
Jan 23, 2026
+15 −0

Conversation

@hannesm
Copy link
Contributor

@hannesm hannesm commented Jan 20, 2026

ref #4581

Now that #4582 has been merged...

@hannesm hannesm mentioned this pull request Jan 20, 2026
Open
6 tasks
@hannesm hannesm changed the title Add opam source (https://github.com/ocaml/security-advisories) as source to testing (feat, source-test) Add opam source (https://github.com/ocaml/security-advisories) to testing Jan 20, 2026
@hannesm hannesm mentioned this pull request Jan 20, 2026
Open
2 tasks
@another-rex
Copy link
Contributor

another-rex commented Jan 21, 2026

/gcbrun

@another-rex another-rex changed the title (feat, source-test) Add opam source (https://github.com/ocaml/security-advisories) to testing feat: Add opam source (https://github.com/ocaml/security-advisories) to testing Jan 21, 2026
@another-rex
Copy link
Contributor

another-rex commented Jan 21, 2026

LGTM! Just a note on the OPAM database entries, it would be better to generate them with indentation rather than all on one line, as it makes it easy for consumers to see the changes to a record in the git history.

@hannesm hannesm mentioned this pull request Jan 22, 2026
Merged
@another-rex another-rex merged commit 9397c84 into google:master Jan 23, 2026
20 of 22 checks passed
@another-rex
Copy link
Contributor

another-rex commented Jan 23, 2026

@hannesm Seems like we are getting rate limited when enumerating versions.

A couple of options here:

  1. It seems like the records we are getting are pre-enumerated already anyway, so the easiest way is to just skip enumeration for ocaml records and rely on the record itself being correctly enumerated.
  2. Apparently we get higher rate limits if we have an API token, though it does mean a bit more complexity on our part.

Let me know if you're happy with option 1., otherwise we can look into option 2.

@michaelkedar fyi

@hannesm
Copy link
Contributor Author

hannesm commented Jan 24, 2026

Thanks @another-rex.

@hannesm Seems like we are getting rate limited when enumerating versions.

I'm sorry to hear.

A couple of options here:

1. It seems like the records we are getting are pre-enumerated already anyway, so the easiest way is to just skip enumeration for ocaml records and rely on the record itself being correctly enumerated.

I'm not sure I fully understand what you mean, but indeed the osv data we generate carries an array of versions that are affected. And this is filled by the tooling that generates the json. So you can rely on that data.

2. Apparently we get higher rate limits if we have an API token, though it does mean a bit more complexity on our part.

Let me know if you're happy with option 1., otherwise we can look into option 2.

As mentioned, if I understand that correctly, I'm fine with 1. I don't know what needs to be done in the osv code to accommodate this option.

@hannesm
Copy link
Contributor Author

hannesm commented Jan 24, 2026

I tried to find the test instance database where I'd be able to see the imported json data etc. -- any chance you can provide me with a way how to browse that data? At https://test.osv.dev I don't see any imported opam advisories.

Thanks.

@hannesm
Copy link
Contributor Author

hannesm commented Feb 3, 2026

Hi, is there anything I can do in respect to:

@another-rex #4632 (comment)

skip enumeration for ocaml records and rely on the record itself being correctly enumerated

Esp. is there an example data source that skips enumeration?

@hannesm asking #4632 (comment)

is there a URL to the testing web UI?

@another-rex
Copy link
Contributor

another-rex commented Feb 5, 2026

Sorry for the delay! Yes test.osv.dev should be where it will show up, looking into why this is not happening now.

@another-rex another-rex mentioned this pull request Feb 5, 2026
Merged
another-rex added a commit that referenced this pull request Feb 5, 2026
@another-rex
fix: Remove enumeration for OPAM as we are rate limited (#4756)
ef91109 
Related #4632 

We are currently being rate limited by OPAM package manager when
enumerating. The enumeration is also unnecessary since the records
already come with a list of enumerated affected versions.
@another-rex
Copy link
Contributor

another-rex commented Feb 6, 2026

Found the issue, the affected_range.repo field is

git+https://github.com/ocaml/opam

which is not valid according to the schema, which has to be something that can be used with git clone. This is causing us to fail to clone the repository, so it's not being processed and published.

Changing it to https://github.com/ocaml/opam should fix this!

@hannesm hannesm mentioned this pull request Feb 6, 2026
Merged
@hannesm
Copy link
Contributor Author

hannesm commented Feb 6, 2026

Dear @another-rex, thanks for looking into this. I fixed this with ocaml/security-advisories#14.

not valid according to the schema

Maybe a good idea to explicitly check this in the schema (I've no idea how, since I've never worked on json schema). We validate all generated osv json with the schema before we publish that.

@another-rex
Copy link
Contributor

another-rex commented Feb 8, 2026

Thanks!
Looks like everything's showing up now: https://test.osv.dev/list?q=&ecosystem=opam

Let me know if everything looks good to you and I'll merge the prod version.

Maybe a good idea to explicitly check this in the schema (I've no idea how, since I've never worked on json schema). We validate all generated osv json with the schema before we publish that.

I'll look into whether it's something we can add to the jsonschema, though I think that might be difficult to represent there. Either way we should add this to the osv-linter, which has a lot more checks that can't be encoded in the schema.

If you want you can replace the jsonschema check with the linter here: https://github.com/ossf/osv-schema/tree/main/tools/osv-linter for a more comprehensive check.

We also run the linter twice a day with the results being published here, sorted by source: https://test.osv.dev/linter

@hannesm
Copy link
Contributor Author

hannesm commented Feb 9, 2026

Let me know if everything looks good to you and I'll merge the prod version.

This looks good to me, thanks a lot. Please merge the prod version.

@hannesm hannesm mentioned this pull request Feb 9, 2026
Open
another-rex added a commit that referenced this pull request Feb 10, 2026
@hannesm @another-rex
feat: Add opam source (https://github.com/ocaml/security-advisories) …
fbfc5ad 
…to prod (#4651)

similar to #4632, but this time to production instead of testing. ref
#4581

Co-authored-by: Mehnert <ipad@mehnert.org>
Co-authored-by: Rex P <106129829+another-rex@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@another-rex another-rex another-rex approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hannesm @another-rex