🌱 Set OSV User-Agent for scorecard cli and cron workers.

[kash2104]

What kind of change does this PR introduce?

This PR introduces improvement to OSV API request by configuring versioned User-Agent for Scorecard.

• PR title follows the guidelines defined in our pull request documentation

What is the current behavior?

Currently API requests to osv.dev are made without specifying a unique user-agent.

What is the new behavior (if this is a feature change)?**

Now a distinct, versioned user agent is set for the OSV API request:

• scorecard/{version} for CLI

• scorecard-cron/{version} for cron workers

• Uses GetId() and GetAliases() in clients/osv.go as per the latest updates in the osv scanner package.

• Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes #4029

Special notes for your reviewer

osv-scanner/1.9.2 has been installed.

Does this PR introduce a user-facing change?

No

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

[github-actions]

This pull request has been marked stale because it has been open for 10 days with no activity

[spencerschrock]

You can track the upstream issue here at google/osv-scanner#2420

We'll need to wait for a new osv-scanner release before we can set it.

[codecov]

Codecov Report

❌ Patch coverage is 45.00000% with 11 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.68%. Comparing base (353ed60) to head (c224a50).
⚠️ Report is 316 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4883      +/-   ##
==========================================
+ Coverage   66.80%   69.68%   +2.88%     
==========================================
  Files         230      251      +21     
  Lines       16602    15660     -942     
==========================================
- Hits        11091    10913     -178     
+ Misses       4808     3873     -935     
- Partials      703      874     +171     

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[another-rex]

@Ly-Joey Can you take a quick look to confirm this is correct?

[Ly-Joey]

ExperimentalScannerActions.RequestUserAgent is the right variable to set. But it seems actions isn't being passed into osvscanner.DoScan() or anything equivalent.
I'm not very familiar with the project but I think the user agent values would need to be propagated to clients/osv.go (through VulnerabilitiesClient) where the osvscanner package is actually used to do the scanning.

[spencerschrock]

I'm not very familiar with the project but I think the user agent values would need to be propagated to clients/osv.go (through VulnerabilitiesClient) where the osvscanner package is actually used to do the scanning.

+1 to this. The current strategy was based on the old package global. We might need a new flag in our osv-client representing the source, that way when we initialize the client we can pass in a string to use for the user agent.

maybe something like this? And then tweaking DefaultVulnerabilitiesClient to use NewOSVClient for backwards compatibility. (and we can get rid of ExperimentalLocalOSVClient now)

type OSVConfig struct {
	ExperimentalLocal bool
	UserAgent string
}

func NewOSVClient(config *OSVConfig) VulnerabilitiesClient {
	if config == nil { // some defaults }
	// store as needed
}

[kash2104]

Will look into it.

[kash2104]

@spencerschrock Have made the appropriate changes as per the reviews.

[spencerschrock]

Looks great, just two small things!

[spencerschrock]

this client made with the config needs to be used by the code, I think you'll want to store it here:

scorecard/cron/internal/worker/main.go

Line 132 in ade5c77

sw.vulnsClient = clients.DefaultVulnerabilitiesClient()

[spencerschrock]

Lets move this all to cmd/root.go, a little above this block:

scorecard/cmd/root.go

Lines 173 to 179 in ade5c77

	opts := []scorecard.Option{
	scorecard.WithLogLevel(sclog.ParseLevel(o.LogLevel)),
	scorecard.WithCommitSHA(o.Commit),
	scorecard.WithCommitDepth(o.CommitDepth),
	scorecard.WithProbes(enabledProbes),
	scorecard.WithChecks(checks),
	}

And then you'll need to use the client you created with NewOSVClient by creating a new opt:

scorecard.WithVulnerabilitiesClient(clients.NewOSVClient(&config)),