Skip to content

feat: Add opam source (https://github.com/ocaml/security-advisories) to testing #4632

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
another-rex merged 1 commit into from
Jan 23, 2026
Merged

feat: Add opam source (https://github.com/ocaml/security-advisories) to testing #4632

another-rex merged 1 commit into from
Jan 23, 2026

Conversation

@hannesm
Copy link
Contributor

@hannesm hannesm commented Jan 20, 2026

ref #4581

Now that #4582 has been merged...

@hannesm hannesm mentioned this pull request Jan 20, 2026
Open
6 tasks
@hannesm hannesm changed the title Add opam source (https://github.com/ocaml/security-advisories) as source to testing (feat, source-test) Add opam source (https://github.com/ocaml/security-advisories) to testing Jan 20, 2026
@hannesm hannesm mentioned this pull request Jan 20, 2026
Open
2 tasks
@another-rex
Copy link
Contributor

another-rex commented Jan 21, 2026

/gcbrun

@another-rex another-rex changed the title (feat, source-test) Add opam source (https://github.com/ocaml/security-advisories) to testing feat: Add opam source (https://github.com/ocaml/security-advisories) to testing Jan 21, 2026
@another-rex
Copy link
Contributor

another-rex commented Jan 21, 2026

LGTM! Just a note on the OPAM database entries, it would be better to generate them with indentation rather than all on one line, as it makes it easy for consumers to see the changes to a record in the git history.

@hannesm hannesm mentioned this pull request Jan 22, 2026
Open
@another-rex another-rex merged commit 9397c84 into google:master Jan 23, 2026
20 of 22 checks passed
@another-rex
Copy link
Contributor

another-rex commented Jan 23, 2026

@hannesm Seems like we are getting rate limited when enumerating versions.

A couple of options here:

  1. It seems like the records we are getting are pre-enumerated already anyway, so the easiest way is to just skip enumeration for ocaml records and rely on the record itself being correctly enumerated.
  2. Apparently we get higher rate limits if we have an API token, though it does mean a bit more complexity on our part.

Let me know if you're happy with option 1., otherwise we can look into option 2.

@michaelkedar fyi

@hannesm
Copy link
Contributor Author

hannesm commented Jan 24, 2026

Thanks @another-rex.

@hannesm Seems like we are getting rate limited when enumerating versions.

I'm sorry to hear.

A couple of options here:

1. It seems like the records we are getting are pre-enumerated already anyway, so the easiest way is to just skip enumeration for ocaml records and rely on the record itself being correctly enumerated.

I'm not sure I fully understand what you mean, but indeed the osv data we generate carries an array of versions that are affected. And this is filled by the tooling that generates the json. So you can rely on that data.

2. Apparently we get higher rate limits if we have an API token, though it does mean a bit more complexity on our part.

Let me know if you're happy with option 1., otherwise we can look into option 2.

As mentioned, if I understand that correctly, I'm fine with 1. I don't know what needs to be done in the osv code to accommodate this option.

@hannesm
Copy link
Contributor Author

hannesm commented Jan 24, 2026

I tried to find the test instance database where I'd be able to see the imported json data etc. -- any chance you can provide me with a way how to browse that data? At https://test.osv.dev I don't see any imported opam advisories.

Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@another-rex another-rex another-rex approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hannesm @another-rex