Skip to content

🌱 Set OSV User-Agent for scorecard cli and cron workers. #4883

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kash2104 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

🌱 Set OSV User-Agent for scorecard cli and cron workers. #4883

kash2104 wants to merge 2 commits into from
+133 −104

Conversation

@kash2104
Copy link
Contributor

@kash2104 kash2104 commented Dec 16, 2025
edited
Loading

What kind of change does this PR introduce?

This PR introduces improvement to OSV API request by configuring versioned User-Agent for Scorecard.

What is the current behavior?

Currently API requests to osv.dev are made without specifying a unique user-agent.

What is the new behavior (if this is a feature change)?**

Now a distinct, versioned user agent is set for the OSV API request:

  • scorecard/{version} for CLI

  • scorecard-cron/{version} for cron workers

  • Uses GetId() and GetAliases() in clients/osv.go as per the latest updates in the osv scanner package.

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes #4029

Special notes for your reviewer

osv-scanner/1.9.2 has been installed.

Does this PR introduce a user-facing change?

No

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

@kash2104 kash2104 requested a review from a team as a code owner December 16, 2025 12:49
@kash2104 kash2104 requested review from AdamKorcz and jeffmendoza and removed request for a team December 16, 2025 12:49
@dosubot dosubot bot added the size:S This PR changes 10-29 lines, ignoring generated files. label Dec 16, 2025
@kash2104 kash2104 mentioned this pull request Dec 16, 2025
Open
spencerschrock
spencerschrock reviewed Dec 16, 2025
View reviewed changes
@github-actions
Copy link

github-actions bot commented Dec 28, 2025

This pull request has been marked stale because it has been open for 10 days with no activity

@github-actions github-actions bot added the Stale label Dec 28, 2025
@spencerschrock
Copy link
Member

spencerschrock commented Jan 8, 2026

You can track the upstream issue here at google/osv-scanner#2420

We'll need to wait for a new osv-scanner release before we can set it.

@kash2104 kash2104 temporarily deployed to integration-test January 17, 2026 16:16 — with GitHub Actions Inactive
@dosubot dosubot bot added size:M This PR changes 30-99 lines, ignoring generated files. and removed size:S This PR changes 10-29 lines, ignoring generated files. labels Jan 17, 2026
@codecov
Copy link

codecov bot commented Jan 17, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 45.00000% with 11 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.68%. Comparing base (353ed60) to head (c224a50).
⚠️ Report is 316 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4883      +/-   ##
==========================================
+ Coverage   66.80%   69.68%   +2.88%     
==========================================
  Files         230      251      +21     
  Lines       16602    15660     -942     
==========================================
- Hits        11091    10913     -178     
+ Misses       4808     3873     -935     
- Partials      703      874     +171
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@another-rex
Copy link
Contributor

another-rex commented Jan 19, 2026

@Ly-Joey Can you take a quick look to confirm this is correct?

@Ly-Joey
Copy link

Ly-Joey commented Jan 19, 2026

ExperimentalScannerActions.RequestUserAgent is the right variable to set. But it seems actions isn't being passed into osvscanner.DoScan() or anything equivalent.
I'm not very familiar with the project but I think the user agent values would need to be propagated to clients/osv.go (through VulnerabilitiesClient) where the osvscanner package is actually used to do the scanning.

@spencerschrock
Copy link
Member

spencerschrock commented Jan 20, 2026
edited
Loading

I'm not very familiar with the project but I think the user agent values would need to be propagated to clients/osv.go (through VulnerabilitiesClient) where the osvscanner package is actually used to do the scanning.

+1 to this. The current strategy was based on the old package global. We might need a new flag in our osv-client representing the source, that way when we initialize the client we can pass in a string to use for the user agent.

maybe something like this? And then tweaking DefaultVulnerabilitiesClient to use NewOSVClient for backwards compatibility. (and we can get rid of ExperimentalLocalOSVClient now)

type OSVConfig struct {
	ExperimentalLocal bool
	UserAgent string
}

func NewOSVClient(config *OSVConfig) VulnerabilitiesClient {
	if config == nil { // some defaults }
	// store as needed
}

@kash2104
Copy link
Contributor Author

kash2104 commented Jan 20, 2026

Will look into it.

@dosubot dosubot bot removed the size:M This PR changes 30-99 lines, ignoring generated files. label Feb 1, 2026
@kash2104 kash2104 temporarily deployed to integration-test February 1, 2026 13:10 — with GitHub Actions Inactive
@dosubot dosubot bot added the size:L This PR changes 100-499 lines, ignoring generated files. label Feb 1, 2026
@kash2104 kash2104 temporarily deployed to integration-test February 1, 2026 14:44 — with GitHub Actions Inactive
@kash2104
Copy link
Contributor Author

kash2104 commented Feb 1, 2026

@spencerschrock Have made the appropriate changes as per the reviews.

@kash2104 kash2104 temporarily deployed to integration-test February 3, 2026 15:34 — with GitHub Actions Inactive
spencerschrock
spencerschrock approved these changes Feb 3, 2026
View reviewed changes
Copy link
Member

@spencerschrock spencerschrock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, just two small things!

cron/internal/worker/main.go Outdated
Comment on lines 335 to 336
clients.NewOSVClient(&osvConfig)
flag.Parse()
Copy link
Member

@spencerschrock spencerschrock Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this client made with the config needs to be used by the code, I think you'll want to store it here:

scorecard/cron/internal/worker/main.go

Line 132 in ade5c77

sw.vulnsClient = clients.DefaultVulnerabilitiesClient()

main.go Outdated
Comment on lines 31 to 37
info := version.GetVersionInfo()
actions := osvscanner.ExperimentalScannerActions{}
config := clients.OSVConfig{}
actions.RequestUserAgent = fmt.Sprintf("scorecard-cli/%s", info.GitVersion)
config.UserAgent = actions.RequestUserAgent
clients.NewOSVClient(&config)
opts := options.New()
Copy link
Member

@spencerschrock spencerschrock Feb 3, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets move this all to cmd/root.go, a little above this block:

scorecard/cmd/root.go

Lines 173 to 179 in ade5c77

opts := []scorecard.Option{
scorecard.WithLogLevel(sclog.ParseLevel(o.LogLevel)),
scorecard.WithCommitSHA(o.Commit),
scorecard.WithCommitDepth(o.CommitDepth),
scorecard.WithProbes(enabledProbes),
scorecard.WithChecks(checks),
}

And then you'll need to use the client you created with NewOSVClient by creating a new opt:

scorecard.WithVulnerabilitiesClient(clients.NewOSVClient(&config)),

@kash2104 kash2104 temporarily deployed to integration-test February 6, 2026 16:47 — with GitHub Actions Inactive
@kash2104
Set OSV User-Agent for scorecard cli and cron workers.
8306702 
Signed-off-by: kash2104 <kparikh1104@gmail.com>
@kash2104
Initialise client with OSV UserAgent.
c224a50 
Signed-off-by: kash2104 <kparikh1104@gmail.com>
@kash2104 kash2104 temporarily deployed to integration-test February 7, 2026 03:32 — with GitHub Actions Inactive
@kash2104
Copy link
Contributor Author

kash2104 commented Feb 11, 2026

@spencerschrock Have done the appropriate changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeffmendoza jeffmendoza Awaiting requested review from jeffmendoza jeffmendoza is a code owner automatically assigned from ossf/scorecard-maintainers

@AdamKorcz AdamKorcz Awaiting requested review from AdamKorcz AdamKorcz is a code owner automatically assigned from ossf/scorecard-maintainers

@spencerschrock spencerschrock Awaiting requested review from spencerschrock

Assignees

No one assigned

Labels

size:L This PR changes 100-499 lines, ignoring generated files.

Projects

OpenSSF Scorecard
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Specify a user agent for OSV.dev

4 participants

@kash2104 @spencerschrock @another-rex @Ly-Joey