From efe226f740e19c1c98dc45a27942a153dc23cadb Mon Sep 17 00:00:00 2001 From: jdalton Date: Wed, 26 Nov 2025 13:37:41 -0500 Subject: [PATCH 1/2] fix(api): improve CVE to GHSA conversion caching and error messaging --- src/utils/cve-to-ghsa.mts | 29 +++++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-) diff --git a/src/utils/cve-to-ghsa.mts b/src/utils/cve-to-ghsa.mts index 37470d9ef..5a5ff3d34 100644 --- a/src/utils/cve-to-ghsa.mts +++ b/src/utils/cve-to-ghsa.mts @@ -5,6 +5,7 @@ import type { CResult } from '../types.mts' /** * Converts CVE IDs to GHSA IDs using GitHub API. + * CVE to GHSA mappings are permanent, so we cache for 30 days. */ export async function convertCveToGhsa( cveId: string, @@ -13,11 +14,17 @@ export async function convertCveToGhsa( const cacheKey = `cve-to-ghsa-${cveId}` const octokit = getOctokit() - const response = await cacheFetch(cacheKey, () => - octokit.rest.securityAdvisories.listGlobalAdvisories({ - cve_id: cveId, - per_page: 1, - }), + // CVE to GHSA mappings don't change, cache for 30 days (in milliseconds). + const THIRTY_DAYS_MS = 2_592_000_000 + + const response = await cacheFetch( + cacheKey, + () => + octokit.rest.securityAdvisories.listGlobalAdvisories({ + cve_id: cveId, + per_page: 1, + }), + THIRTY_DAYS_MS, ) if (!response.data.length) { @@ -32,9 +39,19 @@ export async function convertCveToGhsa( data: response.data[0]!.ghsa_id, } } catch (e) { + const errorCause = getErrorCause(e) + // Detect GitHub API rate limit errors. + const isGitHubRateLimit = + errorCause.includes('rate limit') || + errorCause.includes('EPIPE') || + errorCause.includes('ECONNRESET') || + errorCause.includes('403') + return { ok: false, - message: `Failed to convert CVE to GHSA: ${getErrorCause(e)}`, + message: isGitHubRateLimit + ? 'GitHub API rate limit exceeded while converting CVE to GHSA. Wait an hour or set SOCKET_CLI_GITHUB_TOKEN environment variable with a personal access token for higher limits.' + : `Failed to convert CVE to GHSA: ${errorCause}`, } } } From 4d3716186fd0ac493e45341b24fd80d30b29b740 Mon Sep 17 00:00:00 2001 From: jdalton Date: Wed, 26 Nov 2025 14:11:33 -0500 Subject: [PATCH 2/2] refactor(api): improve CVE to GHSA error detection and code clarity - Use case-insensitive error matching for more reliable detection - Add more specific status code patterns (status: 403, status code 403) - Express 30-day duration as readable calculation (30 * 24 * 60 * 60 * 1000) - Remove redundant inline comment - Rename variable for clearer intent (isGitHubRateLimit -> isRateLimitOrNetworkError) --- src/utils/cve-to-ghsa.mts | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/src/utils/cve-to-ghsa.mts b/src/utils/cve-to-ghsa.mts index 5a5ff3d34..74be27e83 100644 --- a/src/utils/cve-to-ghsa.mts +++ b/src/utils/cve-to-ghsa.mts @@ -14,8 +14,7 @@ export async function convertCveToGhsa( const cacheKey = `cve-to-ghsa-${cveId}` const octokit = getOctokit() - // CVE to GHSA mappings don't change, cache for 30 days (in milliseconds). - const THIRTY_DAYS_MS = 2_592_000_000 + const THIRTY_DAYS_MS = 30 * 24 * 60 * 60 * 1000 const response = await cacheFetch( cacheKey, @@ -40,16 +39,18 @@ export async function convertCveToGhsa( } } catch (e) { const errorCause = getErrorCause(e) - // Detect GitHub API rate limit errors. - const isGitHubRateLimit = - errorCause.includes('rate limit') || - errorCause.includes('EPIPE') || - errorCause.includes('ECONNRESET') || - errorCause.includes('403') + const errorLower = errorCause.toLowerCase() + // Detect GitHub API rate limit and network errors. + const isRateLimitOrNetworkError = + errorLower.includes('rate limit') || + errorLower.includes('epipe') || + errorLower.includes('econnreset') || + errorLower.includes('status: 403') || + errorLower.includes('status code 403') return { ok: false, - message: isGitHubRateLimit + message: isRateLimitOrNetworkError ? 'GitHub API rate limit exceeded while converting CVE to GHSA. Wait an hour or set SOCKET_CLI_GITHUB_TOKEN environment variable with a personal access token for higher limits.' : `Failed to convert CVE to GHSA: ${errorCause}`, }