Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG Signed-Releases: internal error: too many releases, please report this #4059

Closed
cpswan opened this issue Apr 29, 2024 · 1 comment · Fixed by #4060
Closed

BUG Signed-Releases: internal error: too many releases, please report this #4059

cpswan opened this issue Apr 29, 2024 · 1 comment · Fixed by #4060
Labels
check/Signed-Releases kind/bug Something isn't working

Comments

@cpswan
Copy link
Contributor

cpswan commented Apr 29, 2024

Describe the bug

Running v5.0.0-rc1

Signed-Releases check reports internal error: too many releases, please report this

Reproduction steps
Steps to reproduce the behavior:

  1. Downloaded scorecard_5.0.0-rc1_linux_amd64.tar.gz
  2. Untarred the binary and copied it to ~/.local/bin/scorecard so it's on my path
  3. Ran scorecard --repo github.com/cpswan/release_automation

Expected behavior

I get a score for my signed releases.

Additional context

The repo I was testing against presently has 31 releases. I was previously signing with sigstore, but I just added a workflow to add SLSA provenance instead, so the releases now have a mixture of .sigstore and multiple.intoto.jsonl. My first guess is that this might cause the problem.

Testing against a repo that only has (some) .sigstore releases seems to work fine (e.g. scorecard --repo github.com/atsign-foundation/noports) NB that repo has more releases than the one that's failing, so it's not simply that 31 is too many.

Testing against this repo, which has just multiple.intoto.jsonl is also fine
@cpswan cpswan added the kind/bug Something isn't working label Apr 29, 2024
spencerschrock added a commit to spencerschrock/scorecard that referenced this issue Apr 29, 2024
@spencerschrock
switch signed-releases lookback limit precedence
9c722e1 
if the 6th release had no assets, the lookback limit exit condition was
being skipped. This led to scenarios where too many releases were being
considered by the Signed-Releases check.

ossf#4059

Signed-off-by: Spencer Schrock <[email protected]>
@spencerschrock spencerschrock mentioned this issue Apr 29, 2024
Merged
2 tasks
@spencerschrock
Copy link
Member

Thanks for trying out v5.0.0-rc1 and reporting this issue!

It didn't have to do with the specific artifacts, but rather which release had artifacts and which didn't. We limit our analysis to the last 5 releases, but there was an order of operation bug which was skipping this, and your test repo met the bug criteria.

The 6th most recent release had no release artifacts, so we went on to the 7th (and beyond)

@spencerschrock spencerschrock mentioned this issue Apr 29, 2024
Merged
spencerschrock added a commit that referenced this issue May 2, 2024
@spencerschrock
🐛 fix signed-releases lookback limit precedence (#4060)
b9c1f3f 
* switch signed-releases lookback limit precedence

if the 6th release had no assets, the lookback limit exit condition was
being skipped. This led to scenarios where too many releases were being
considered by the Signed-Releases check.

#4059

Signed-off-by: Spencer Schrock <[email protected]>

* make exit condition stronger

any release after the lookback should be skipped

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
@spencerschrock spencerschrock mentioned this issue May 2, 2024
Closed
seelder pushed a commit to seelder/scorecard that referenced this issue May 3, 2024
@spencerschrock @seelder
🐛 fix signed-releases lookback limit precedence (ossf#4060)
5007169 
* switch signed-releases lookback limit precedence

if the 6th release had no assets, the lookback limit exit condition was
being skipped. This led to scenarios where too many releases were being
considered by the Signed-Releases check.

ossf#4059

Signed-off-by: Spencer Schrock <[email protected]>

* make exit condition stronger

any release after the lookback should be skipped

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: seelder <[email protected]>
seelder pushed a commit to seelder/scorecard that referenced this issue May 3, 2024
@spencerschrock @seelder
🐛 fix signed-releases lookback limit precedence (ossf#4060)
8c199bb 
* switch signed-releases lookback limit precedence

if the 6th release had no assets, the lookback limit exit condition was
being skipped. This led to scenarios where too many releases were being
considered by the Signed-Releases check.

ossf#4059

Signed-off-by: Spencer Schrock <[email protected]>

* make exit condition stronger

any release after the lookback should be skipped

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: seelder <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
check/Signed-Releases kind/bug Something isn't working
Projects
Scorecard - NEW
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

🐛 fix signed-releases lookback limit precedence spencerschrock/scorecard
2 participants
@cpswan @spencerschrock