Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replacement for git:// URLs does not seem to be working for submodules #8918

Open
sschuberth opened this issue Jul 19, 2024 · 5 comments
Open

Replacement for git:// URLs does not seem to be working for submodules #8918

sschuberth opened this issue Jul 19, 2024 · 5 comments
Labels
scanner About the scanner tool

Comments

@sschuberth
Copy link
Member

sschuberth commented Jul 19, 2024
edited
Loading

Despite 3d27d61, the provenance resolver that runs as part of the scanner does not seem to be able to clone Git repositories that contain submodules which still refer via git://´ to GitHub repositories (GitHub has deprecated the git://` protocol):

Could not resolve nested provenance for package 'PyPI::scikit-image:0.19.3': IOException: Running 'git submodule update --recursive' in '/tmp/ort-DefaultWorkingTreeCache10066802054424201727' failed with exit code 1:
Cloning into '/tmp/ort-DefaultWorkingTreeCache10066802054424201727/doc/tools/gitwash'...
fatal: unable to connect to github.com:
github.com[0: 140.82.121.3]: errno=Connection timed out

fatal: clone of 'git://github.com/matthew-brett/gitwash.git' into submodule path '/tmp/ort-DefaultWorkingTreeCache10066802054424201727/doc/tools/gitwash' failed
Failed to clone 'doc/tools/gitwash'. Retry scheduled
Cloning into '/tmp/ort-DefaultWorkingTreeCache10066802054424201727/doc/tools/gitwash'...
fatal: unable to connect to github.com:
github.com[0: 140.82.121.4]: errno=Connection timed out

fatal: clone of 'git://github.com/matthew-brett/gitwash.git' into submodule path '/tmp/ort-DefaultWorkingTreeCache10066802054424201727/doc/tools/gitwash' failed
Failed to clone 'doc/tools/gitwash' a second time, aborting

YAML entry:

  - id: "PyPI::scikit-image:0.19.3"
    package_provenance:
      vcs_info:
        type: "Git"
        url: "https://github.com/scikit-image/scikit-image.git"
        revision: ""
        path: ""
      resolved_revision: "c1af2bf80d2c8845bbbf06222f87e8b58a8e5c1e"
    nested_provenance_resolution_issue:
      timestamp: "2024-07-18T12:44:39.719752127Z"
      source: "scanner"
      message: "Could not resolve nested provenance for package 'PyPI::scikit-image:0.19.3':\
        \ IOException: Running 'git submodule update --recursive' in '/tmp/ort-DefaultWorkingTreeCache9932109886528191008'\
        \ failed with exit code 1:\nCloning into '/tmp/ort-DefaultWorkingTreeCache9932109886528191008/doc/tools/gitwash'...\n\
        fatal: unable to connect to github.com:\ngithub.aaakk.us.kg[0: 140.82.121.3]: errno=Connection\
        \ timed out\n\nfatal: clone of 'git://github.com/matthew-brett/gitwash.git'\
        \ into submodule path '/tmp/ort-DefaultWorkingTreeCache9932109886528191008/doc/tools/gitwash'\
        \ failed\nFailed to clone 'doc/tools/gitwash'. Retry scheduled\nCloning into\
        \ '/tmp/ort-DefaultWorkingTreeCache9932109886528191008/doc/tools/gitwash'...\n\
        fatal: unable to connect to github.com:\ngithub.aaakk.us.kg[0: 140.82.121.3]: errno=Connection\
        \ timed out\n\nfatal: clone of 'git://github.com/matthew-brett/gitwash.git'\
        \ into submodule path '/tmp/ort-DefaultWorkingTreeCache9932109886528191008/doc/tools/gitwash'\
        \ failed\nFailed to clone 'doc/tools/gitwash' a second time, aborting\n"
      severity: "ERROR"

However, the more severe issue seems to be that as a result of the above, the PyPI::scikit-image:0.19.3 is not scanned at all, neither as a repository without submodules, nor the source artifact (which was found). At least there is no corresponding provenance entry in the scan_results section.
@sschuberth sschuberth added bug scanner About the scanner tool labels Jul 19, 2024
@vw-anton
Copy link
Contributor

vw-anton commented Sep 5, 2024

Wouldn't it suffice if we enforce this on a system level when building the Docker image via
sudo git config --system url."https://".insteadOf git:// ?

@sschuberth
Copy link
Member Author

I guess that should work.

@fviernau
Copy link
Member

fviernau commented Sep 6, 2024
edited
Loading

Wouldn't it suffice if we enforce this on a system level when building the Docker image via
sudo git config --system url."https://".insteadOf git:// ?

I guess that should work.

Would the analyzer result contain git:// URLs then?

@sschuberth
Copy link
Member Author

Would the analyzer result contain git:// URLs then?

I believe so, yes.

@cz-dev-ge
Copy link
Contributor

cz-dev-ge commented Sep 9, 2024
edited
Loading

Here is a .NET minimal example:

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net8.0</TargetFramework>
    <RootNamespace>antlrl3_test</RootNamespace>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
  </PropertyGroup>
  
  <ItemGroup>
    <PackageReference Include="Antlr3.Runtime" Version="3.5.1" />
  </ItemGroup>

</Project>

put it into a antlr3-test.csproj within an empty folder and scan it.

@sschuberth sschuberth removed the bug label Feb 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
scanner About the scanner tool
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sschuberth @fviernau @cz-dev-ge @vw-anton