WARN: Unable to read vulnerability information

[rarkins]

Describe the proposed change(s).

Error found in https://github.com/renovate-reproductions/22487

This seems to only occur in the hosted app, and not when I dry run the same repo locally.

Something/somehow seems incompatible.

Describe why we need/want these change(s).

WARN: Unable to read vulnerability information
{
  "err": {
    "stack": "Error: 
    at OsvOffline.initialize (/opt/buildpack/tools/renovate/35.102.10/node_modules/@renovatebot/osv-offline/dist/lib/osv-offline.js:16:19)
    at processTicksAndRejections (node:internal/process/task_queues:95:5)
    at Function.create (/opt/buildpack/tools/renovate/35.102.10/node_modules/@renovatebot/osv-offline/dist/lib/osv-offline.js:26:9)
    at Vulnerabilities.initialize (/opt/buildpack/tools/renovate/35.102.10/node_modules/renovate/lib/workers/repository/process/vulnerabilities.ts:50:23)
    at Function.create (/opt/buildpack/tools/renovate/35.102.10/node_modules/renovate/lib/workers/repository/process/vulnerabilities.ts:55:5)
    at fetchVulnerabilities (/opt/buildpack/tools/renovate/35.102.10/node_modules/renovate/lib/workers/repository/process/extract-update.ts:176:31)
    at lookup (/opt/buildpack/tools/renovate/35.102.10/node_modules/renovate/lib/workers/repository/process/extract-update.ts:191:3)
    at extractDependencies (/opt/buildpack/tools/renovate/35.102.10/node_modules/renovate/lib/workers/repository/process/index.ts:146:11)
    at Object.renovateRepository (/opt/buildpack/tools/renovate/35.102.10/node_modules/renovate/lib/workers/repository/index.ts:61:9)
    at attributes.repository (/opt/buildpack/tools/renovate/35.102.10/node_modules/renovate/lib/workers/global/index.ts:184:11)
    at start (/opt/buildpack/tools/renovate/35.102.10/node_modules/renovate/lib/workers/global/index.ts:169:7)
    at /opt/buildpack/tools/renovate/35.102.10/node_modules/renovate/lib/renovate.ts:18:22"
  }
}

[Gabriel-Ladzaretti]

seems error comes from tryDownloadDb()
https://github.com/renovatebot/osv-offline/blob/ac86db680fbbab26b87c33b6a45effa042b639bf/packages/osv-offline/src/lib/osv-offline.ts#L13-L19

[rarkins]

@JamieMagee @viceice @secustor any thoughts on this?

We could either:

• Add logging to the offline csv package, or
• Return information in an error which can then be logged by Renovate?

[viceice]

it probably tries to download inside the package folder which is only allowed by root?

[rarkins]

Yeah, I'm guessing it's folder permissions too

[JamieMagee]

Why not both. I opened renovatebot/osv-offline#364

[rarkins]

Why not both.

Isn't it undesirable for libraries to do their own logging unless "asked"? Otherwise it makes it hard for apps or CLIs to control their output

[JamieMagee]

True. I had considered @renovatebot/osv-offline to be an internal library, but it would still be hard to pass logging settings from one to the other. I'll update the issue to make throws more useful.

[JamieMagee]

renovatebot/osv-offline#364 is complete, and updated in renovate in #22885. @rarkins are you seeing any more useful logs?

[rarkins]

@JamieMagee it's an API rate limit error:

      "url": "https://api.github.com/repos/renovatebot/osv-offline/releases",

      "data": {
        "message": "API rate limit exceeded for 34.239.12.110. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)",
        "documentation_url": "https://docs.github.com/rest/overview/resources-in-the-rest-api#rate-limiting"
      }

You might be able to see https://developer.mend.io/github/renovate-reproductions/22487/-/job/0188fff1-c0fc-7b19-a03a-184c6132684c

Prior to that there's a log for:

DEBUG: Adding token authentication for api.github.com to hostRules

[rarkins]

Oh, I guess the OSV library doesn't use hostRules :)

[JamieMagee]

I think it supports a GITHUB_TOKEN environment variable

[rarkins]

Can we enhance it to take the token as a variable? I'm not sure we want to expose the token in env in all cases

[karfau]

For me the GitHub App is running into this issue on a new repository which causes it to fail:
did I miss some config option?
A missing token in that situation is not something that I would have expected, since I'm not configuring the action...

ERROR: Repository has unknown error
{
  "err": {
    "name": "HttpError",
    "status": 403,
    "response": {
      "url": "https://api.github.com/repos/renovatebot/osv-offline/releases",
      "status": 403,
      "headers": {
        "access-control-allow-origin": "*",
        "access-control-expose-headers": "ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-RateLimit-Used, X-RateLimit-Resource, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, Deprecation, Sunset",
        "connection": "close",
        "content-length": "279",
        "content-security-policy": "default-src 'none'; style-src 'unsafe-inline'",
        "content-type": "application/json; charset=utf-8",
        "date": "Wed, 27 Sep 2023 16:46:41 GMT",
        "referrer-policy": "origin-when-cross-origin, strict-origin-when-cross-origin",
        "server": "Varnish",
        "strict-transport-security": "max-age=31536000; includeSubdomains; preload",
        "x-content-type-options": "nosniff",
        "x-frame-options": "deny",
        "x-github-media-type": "github.v3; format=json",
        "x-github-request-id": "0A73:3E74:134F61:274DE5:65145C71",
        "x-ratelimit-limit": "60",
        "x-ratelimit-remaining": "0",
        "x-ratelimit-reset": "1695835586",
        "x-ratelimit-resource": "core",
        "x-ratelimit-used": "60",
        "x-xss-protection": "1; mode=block"
      },
      "data": {
        "message": "API rate limit exceeded for 34.239.12.110. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)",
        "documentation_url": "https://docs.github.com/rest/overview/resources-in-the-rest-api#rate-limiting"
      }
    },
    "request": {
      "method": "GET",
      "url": "https://api.github.com/repos/renovatebot/osv-offline/releases",
      "headers": {
        "accept": "application/vnd.github.v3+json",
        "user-agent": "octokit-rest.js/19.0.13 octokit-core.js/4.2.4 Node.js/18.18.0 (linux; x64)"
      },
      "request": {
        "fetch": "[function]",
        "hook": "[function]"
      }
    },
    "message": "API rate limit exceeded for 34.239.12.110. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)",
    "stack": "HttpError: API rate limit exceeded for 34.239.12.110. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)\n    at /opt/containerbase/tools/renovate/36.107.2/node_modules/@octokit/request/dist-node/index.js:122:21\n    at processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at tryDownloadDb (/opt/containerbase/tools/renovate/36.107.2/node_modules/@renovatebot/osv-offline/dist/lib/download.js:43:26)\n    at OsvOffline.initialize (/opt/containerbase/tools/renovate/36.107.2/node_modules/@renovatebot/osv-offline/dist/lib/osv-offline.js:14:24)\n    at Function.create (/opt/containerbase/tools/renovate/36.107.2/node_modules/@renovatebot/osv-offline/dist/lib/osv-offline.js:26:9)\n    at Vulnerabilities.initialize (/opt/containerbase/tools/renovate/36.107.2/node_modules/renovate/lib/workers/repository/process/vulnerabilities.ts:49:23)\n    at Function.create (/opt/containerbase/tools/renovate/36.107.2/node_modules/renovate/lib/workers/repository/process/vulnerabilities.ts:54:5)\n    at getDashboardMarkdownVulnerabilities (/opt/containerbase/tools/renovate/36.107.2/node_modules/renovate/lib/workers/repository/dependency-dashboard.ts:488:32)\n    at ensureDependencyDashboard (/opt/containerbase/tools/renovate/36.107.2/node_modules/renovate/lib/workers/repository/dependency-dashboard.ts:413:16)\n    at Object.renovateRepository (/opt/containerbase/tools/renovate/36.107.2/node_modules/renovate/lib/workers/repository/index.ts:92:9)\n    at attributes.repository (/opt/containerbase/tools/renovate/36.107.2/node_modules/renovate/lib/workers/global/index.ts:184:11)\n    at start (/opt/containerbase/tools/renovate/36.107.2/node_modules/renovate/lib/workers/global/index.ts:169:7)\n    at /opt/containerbase/tools/renovate/36.107.2/node_modules/renovate/lib/renovate.ts:18:22"
  }
}

Update: It seems to be triggered by setting dependencyDashboardOSVVulnerabilitySummary in my case, even when osvVulnerabilityAlerts is false.

[pdonorio]

Getting this in my renovate runs, both in github cloud or self hosted.

WARN: Unable to read vulnerability information (repository=tradeparadigm/mono)
       "err": {
         "name": "HttpError",
         "status": 401,
         "response": {
           "url": "https://api.github.com/repos/renovatebot/osv-offline/releases",
           "status": 401,

Anything I could do to debug more?

[taraspos]

Found discussion relevant to the 401 error mentioned above:

• Renovate exits because of "Bad credentials" response from Github API #26991