Fix for cloud fetch#362
Closed
andrefurlan-db wants to merge 2 commits into
Closed
Conversation
* fixes for cloud fetch Signed-off-by: Andre Furlan <andre.furlan@databricks.com> --------- Signed-off-by: Andre Furlan <andre.furlan@databricks.com> Co-authored-by: Raymond Cypher <raymond.cypher@databricks.com>
andrefurlan-db
requested review from
arikfr,
benc-db,
jackyhu-db,
rcypher-databricks and
yunbodeng-db
as code owners
February 21, 2024 22:09
benc-db
reviewed
Feb 21, 2024
| # Download was not successful for next download item. Fail | ||
| self._shutdown_manager() | ||
| return None | ||
| raise ResultSetDownloadError( |
Collaborator
There was a problem hiding this comment.
Per the change in the comment above, there is no retry attempted?
Collaborator
There was a problem hiding this comment.
Or is it just handled by raising the exception?
Contributor
Author
There was a problem hiding this comment.
the retry is done outside this function, closer to the actual http request
Signed-off-by: Andre Furlan <andre.furlan@databricks.com>
andrefurlan-db
force-pushed
the
3.1.1
branch
from
February 21, 2024 22:12
61dda59 to
cef6cf3
Compare
benc-db
reviewed
Feb 21, 2024
| return uncompressed_data | ||
|
|
||
|
|
||
| def http_get_with_retry(url, max_retries=5, backoff_factor=2, download_timeout=60): |
Collaborator
There was a problem hiding this comment.
why are we implementing retry behavior here rather than using a Retry passed to the session?
Contributor
Author
There was a problem hiding this comment.
agreed. It is in the TODO to also have connection pools
benc-db
approved these changes
Feb 21, 2024
benc-db
left a comment
Collaborator
There was a problem hiding this comment.
Approve, but consider if we can implement with urllib3 Retry.
This was referenced Jul 4, 2024
vikrantpuppala
added a commit
that referenced
this pull request
Jul 16, 2026
Port the fail-closed hardening from the Go (#362) and Node (#388) OSV workflows, and refresh poetry.lock so the gate passes with zero suppressions. securityScan.yml hardening (was fail-open in three places): - Capture osv-scanner's exit code; tolerate only 0/1 and fail closed on any other code (network error, corrupt binary) instead of masking it with `|| true`. - Validate the output is well-formed JSON with a .results array before parsing, so a truncated/partial scan fails closed rather than parsing to zero findings. - Resolve empty group max_severity via a cvss_num fallback to an UNKNOWN sentinel (using `try (x|tonumber) catch null`, not `tonumber?`), so a scoreless finding can never sort to 0 and sail past the CVSS>=7 gate. UNKNOWN always blocks (PyPA advisories carry CVSS; a scoreless finding is a GHSA-only/malware advisory). - Integer-count guards fail closed on parse failure. - Drop per-repo SMTP email in favor of artifact upload for the planned cross-repo collator (parity with Go/Node). CVE clearing WITHOUT forcing dependency floors: - Bump the Python floor to ^3.10. The CVE-fixed cryptography (>=46) and pyjwt (>=2.12) require Python >=3.10 upstream, so a single CVE-clean lockfile cannot span 3.8/3.9. This is the only breaking change. - All runtime dependency pins are UNCHANGED (thrift ~=0.22.0, urllib3 >=1.26, requests ^2.18.1, pyjwt ^2.0.0, pyarrow floors). The existing constraints already ALLOW the CVE-free versions; the refreshed lock simply resolves to them (urllib3 2.7.0, cryptography 49.0.0, pyarrow 23.0.1, requests 2.34.2, pyjwt 2.13.0, idna 3.18, python-dotenv 1.2.2). Customers do not need us to relax or raise any pin to become CVE-free. - thrift stays ~=0.22.0 (no known advisory; the <0.23 cap avoids the ES-1960554 DBR-LTS install break). - Bump dev-only black ^22 -> ^26 and pytest ^7 -> ^9 to clear their advisories (never shipped in the wheel); reformat src with black 26. Result: OSV-Scanner v2.3.8 reports 0 findings on the refreshed lock; osv-scanner.toml needs no suppressions. Co-authored-by: Isaac Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Throw when failed to download file
Retry properly while downloading file
Add a bunch of debug logs
Prevent thread issues
TODO: http connection pools for cloud storage, proxies, etc.
Also backported to version 2