Skip to content

Log analyze errors for HuggingFace analyzer#5130

Open
kashifkhan0771 wants to merge 1 commit into
trufflesecurity:mainfrom
kashifkhan0771:kashif/int-645
Open

Log analyze errors for HuggingFace analyzer#5130
kashifkhan0771 wants to merge 1 commit into
trufflesecurity:mainfrom
kashifkhan0771:kashif/int-645

Conversation

@kashifkhan0771

@kashifkhan0771 kashifkhan0771 commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Description:

Thread ctx through HuggingFace analyzer's request chain, log every failure at origin.

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

Note

Low Risk
Analyzer-only changes with clearer errors and logging; the models API non-200 handling may surface failures that were previously masked.

Overview
Improves observability and request hygiene for the HuggingFace analyzer by passing context.Context through AnalyzeAnalyzePermissionsgetTokenInfo / getModelsByAuthor, using http.NewRequestWithContext, and logging failures at the source (missing key, HTTP/JSON errors, invalid token, unexpected status on model fetches).

Behavior change: getModelsByAuthor now returns an error when the models API response is not 200 OK (previously it would attempt to decode the body regardless). Response bodies are drained with io.Copy(io.Discard, …) before close on both HF API calls. The CLI helper AnalyzeAndPrintPermissions calls AnalyzePermissions with context.Background().

Reviewed by Cursor Bugbot for commit b8ea73d. Bugbot is set up for automated code reviews on this repo. Configure here.

@kashifkhan0771
kashifkhan0771 requested a review from a team July 15, 2026 06:26
@kashifkhan0771
kashifkhan0771 requested a review from a team as a code owner July 15, 2026 06:26

@MuneebUllahKhan222 MuneebUllahKhan222 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two non-blocking comments.

Comment thread pkg/analyzer/analyzers/huggingface/huggingface.go Outdated
Comment thread pkg/analyzer/analyzers/huggingface/huggingface.go Outdated

@cursor cursor Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

Reviewed by Cursor Bugbot for commit 557af3d. Configure here.

Comment thread pkg/analyzer/analyzers/huggingface/huggingface.go
Thread ctx through HuggingFace analyzer's request chain, log every failure at origin.

@unsmith unsmith left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logic looks sound, left a couple comments to think about. Otherwise LGTM!

}()

// check if the response is 200
if resp.StatusCode != 200 {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

legacy nit: should this use http.StatusOK to avoid magic numbers?


// check if the response is 200
if resp.StatusCode != 200 {
ctx.Logger().Error(fmt.Errorf("invalid/revoked huggingface access token"), "huggingface token invalid while fetching whoami", "status_code", resp.StatusCode)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noting this here, but it kinda applies to all the loglines - do we want these to be at error level, or are they just informational for debugging? There's two places where an error is logged but no error is actually returned, suggesting it's not really an error. I'm wondering if this will be overly noisy in production at an Error level.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants