Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make output ordering deterministic #182

Closed
michaelkedar opened this issue Feb 3, 2023 · 1 comment · Fixed by #220
Closed

Make output ordering deterministic #182

michaelkedar opened this issue Feb 3, 2023 · 1 comment · Fixed by #220
Labels
enhancement New feature or request

Comments

@michaelkedar
Copy link
Member

michaelkedar commented Feb 3, 2023
edited
Loading

Currently, it looks like the order of the package source files (in every output format) can change between runs.

e.g.

# Output 1
╭─────────────────────────────────────┬───────────┬──────────────────────────┬─────────┬────────────────────╮
│ OSV URL (ID IN BOLD)                │ ECOSYSTEM │ PACKAGE                  │ VERSION │ SOURCE             │
├─────────────────────────────────────┼───────────┼──────────────────────────┼─────────┼────────────────────┤
│ https://osv.dev/GHSA-m5pq-gvj9-9vr8 │ crates.io │ regex                    │ 1.3.1   │ path/to/Cargo.lock │
│ https://osv.dev/RUSTSEC-2022-0013   │           │                          │         │                    │
│ https://osv.dev/GHSA-c3h9-896r-86jm │ Go        │ github.com/gogo/protobuf │ 1.3.1   │ path/to/go.mod     │
│ https://osv.dev/GO-2021-0053        │           │                          │         │                    │
╰─────────────────────────────────────┴───────────┴──────────────────────────┴─────────┴────────────────────╯

# Output 2
╭─────────────────────────────────────┬───────────┬──────────────────────────┬─────────┬────────────────────╮
│ OSV URL (ID IN BOLD)                │ ECOSYSTEM │ PACKAGE                  │ VERSION │ SOURCE             │
├─────────────────────────────────────┼───────────┼──────────────────────────┼─────────┼────────────────────┤
│ https://osv.dev/GHSA-c3h9-896r-86jm │ Go        │ github.com/gogo/protobuf │ 1.3.1   │ path/to/go.mod     │
│ https://osv.dev/GO-2021-0053        │           │                          │         │                    │
│ https://osv.dev/GHSA-m5pq-gvj9-9vr8 │ crates.io │ regex                    │ 1.3.1   │ path/to/Cargo.lock │
│ https://osv.dev/RUSTSEC-2022-0013   │           │                          │         │                    │
╰─────────────────────────────────────┴───────────┴──────────────────────────┴─────────┴────────────────────╯

(this can also happen in the json output)

From what I can tell, this only affects the ordering of package sources - the ordering of packages from a source, and vulnerabilities in a package seem to be consistent between runs.
@oliverchang
Copy link
Collaborator

+1 thanks for filing this. We should make this more deterministic for easy comparisons between runs.

@oliverchang oliverchang added the enhancement New feature or request label Feb 6, 2023
@Dentrax Dentrax mentioned this issue Feb 17, 2023
Closed
9 tasks
@G-Rath G-Rath mentioned this issue Feb 17, 2023
Merged
another-rex pushed a commit that referenced this issue Feb 20, 2023
@G-Rath
fix: ensure that vulnerability results are ordered deterministically (#…
435eda0 
…220)

Resolves #182
hayleycd pushed a commit that referenced this issue Mar 9, 2023
@G-Rath @hayleycd
fix: ensure that vulnerability results are ordered deterministically (#…
cae0944 
…220)

Resolves #182
julieqiu pushed a commit to julieqiu/osv-scanner that referenced this issue May 2, 2023
@G-Rath @julieqiu
fix: ensure that vulnerability results are ordered deterministically (g…
e0407b5 
…oogle#220)

Resolves google#182
julieqiu pushed a commit to julieqiu/osv-scanner that referenced this issue May 2, 2023
@G-Rath @julieqiu
fix: ensure that vulnerability results are ordered deterministically (g…
1d6351c 
…oogle#220)

Resolves google#182
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: ensure that vulnerability results are ordered deterministically
2 participants
@oliverchang @michaelkedar