Skip to content

Fix for cloud fetch#362

Closed
andrefurlan-db wants to merge 2 commits into
databricks:mainfrom
andrefurlan-db:3.1.1
Closed

Fix for cloud fetch#362
andrefurlan-db wants to merge 2 commits into
databricks:mainfrom
andrefurlan-db:3.1.1

Conversation

@andrefurlan-db

@andrefurlan-db andrefurlan-db commented Feb 21, 2024

Copy link
Copy Markdown
Contributor
  • Throw when failed to download file

  • Retry properly while downloading file

  • Add a bunch of debug logs

  • Prevent thread issues

TODO: http connection pools for cloud storage, proxies, etc.

Also backported to version 2

* fixes for cloud fetch

Signed-off-by: Andre Furlan <andre.furlan@databricks.com>
---------

Signed-off-by: Andre Furlan <andre.furlan@databricks.com>
Co-authored-by: Raymond Cypher <raymond.cypher@databricks.com>
# Download was not successful for next download item. Fail
self._shutdown_manager()
return None
raise ResultSetDownloadError(

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per the change in the comment above, there is no retry attempted?

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or is it just handled by raising the exception?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the retry is done outside this function, closer to the actual http request

Signed-off-by: Andre Furlan <andre.furlan@databricks.com>
return uncompressed_data


def http_get_with_retry(url, max_retries=5, backoff_factor=2, download_timeout=60):

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are we implementing retry behavior here rather than using a Retry passed to the session?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed. It is in the TODO to also have connection pools

@benc-db benc-db left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approve, but consider if we can implement with urllib3 Retry.

vikrantpuppala added a commit that referenced this pull request Jul 16, 2026
Port the fail-closed hardening from the Go (#362) and Node (#388) OSV
workflows, and refresh poetry.lock so the gate passes with zero
suppressions.

securityScan.yml hardening (was fail-open in three places):
- Capture osv-scanner's exit code; tolerate only 0/1 and fail closed on
  any other code (network error, corrupt binary) instead of masking it
  with `|| true`.
- Validate the output is well-formed JSON with a .results array before
  parsing, so a truncated/partial scan fails closed rather than parsing
  to zero findings.
- Resolve empty group max_severity via a cvss_num fallback to an
  UNKNOWN sentinel (using `try (x|tonumber) catch null`, not
  `tonumber?`), so a scoreless finding can never sort to 0 and sail past
  the CVSS>=7 gate. UNKNOWN always blocks (PyPA advisories carry CVSS; a
  scoreless finding is a GHSA-only/malware advisory).
- Integer-count guards fail closed on parse failure.
- Drop per-repo SMTP email in favor of artifact upload for the planned
  cross-repo collator (parity with Go/Node).

CVE clearing WITHOUT forcing dependency floors:
- Bump the Python floor to ^3.10. The CVE-fixed cryptography (>=46) and
  pyjwt (>=2.12) require Python >=3.10 upstream, so a single CVE-clean
  lockfile cannot span 3.8/3.9. This is the only breaking change.
- All runtime dependency pins are UNCHANGED (thrift ~=0.22.0,
  urllib3 >=1.26, requests ^2.18.1, pyjwt ^2.0.0, pyarrow floors). The
  existing constraints already ALLOW the CVE-free versions; the refreshed
  lock simply resolves to them (urllib3 2.7.0, cryptography 49.0.0,
  pyarrow 23.0.1, requests 2.34.2, pyjwt 2.13.0, idna 3.18,
  python-dotenv 1.2.2). Customers do not need us to relax or raise any
  pin to become CVE-free.
- thrift stays ~=0.22.0 (no known advisory; the <0.23 cap avoids the
  ES-1960554 DBR-LTS install break).
- Bump dev-only black ^22 -> ^26 and pytest ^7 -> ^9 to clear their
  advisories (never shipped in the wheel); reformat src with black 26.

Result: OSV-Scanner v2.3.8 reports 0 findings on the refreshed lock;
osv-scanner.toml needs no suppressions.

Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants