External API Configuration

Develocity Provenance Governor communicates with two external APIs to generate dependency insights during Policy Scan™ evaluations:

  • OSV (Open Source Vulnerabilities) — vulnerability data from osv.dev

  • OSI (Open Source Insights) — package metadata, licenses, and version history from deps.dev

Both clients support configurable retry with exponential backoff, concurrency limits, and graceful degradation when retries are exhausted. All properties are optional — sensible defaults are applied when omitted.

OSV Properties

Property Type Default Description

osv.retries.attempts

int

3

Maximum number of retry attempts for transient failures.

osv.retries.min-backoff

duration

1s

Minimum backoff duration between retries (exponential backoff).

osv.batch-size

int

1000

Maximum queries per OSV batch call. Hard-capped at 1000 (OSV API limit); values above 1000 are clamped with a warning.

osv.max-concurrency

int

20

Maximum concurrent OSV requests for batch and detail fetching.

osv.base-url

string

https://api.osv.dev

Base URL of the OSV API.

osv.max-in-memory-size

data size

10000KB

Maximum in-memory buffer size for response decoding. Value is a number followed by a unit: B (bytes), KB (kilobytes), MB (megabytes), GB (gigabytes), or TB (terabytes). For example, 10000KB and 10MB are roughly equivalent.

OSI Properties

Property Type Default Description

osi.retries.attempts

int

3

Maximum number of retry attempts for transient failures.

osi.retries.min-backoff

duration

1s

Minimum backoff duration between retries (exponential backoff).

osi.max-concurrency

int

10

Maximum concurrent OSI requests. Reduced from a previous default of 20 to lower the risk of triggering rate limits.

osi.base-url

string

https://api.deps.dev

Base URL of the OSI API.

osi.max-in-memory-size

data size

10000KB

Maximum in-memory buffer size for response decoding. Value is a number followed by a unit: B (bytes), KB (kilobytes), MB (megabytes), GB (gigabytes), or TB (terabytes). For example, 10000KB and 10MB are roughly equivalent.

Retry Behavior

Transient failures are automatically retried with exponential backoff. The following error types are classified as retryable:

  • HTTP 5xx server errors

  • HTTP 429 Too Many Requests

  • Network-level errors (I/O exceptions, channel errors)

When all retries are exhausted:

  • Vulnerability lookups — the affected vulnerability is silently omitted from the report.

  • Package metadata lookups — the package is treated as if the OSI API returned no data.

This ensures that a single flaky API call does not fail an entire scan.

Configuration Example

osv:
  retries:
    attempts: 3
    min-backoff: 1s
  batch-size: 1000
  max-concurrency: 20

osi:
  retries:
    attempts: 3
    min-backoff: 1s
  max-concurrency: 10

Tuning for Rate-Limited Environments

If you observe frequent retry exhaustion in logs, consider:

  • Reducing max-concurrency — lowers burst pressure on the external API (e.g., osi.max-concurrency: 5).

  • Increasing min-backoff — gives the external API more time to recover between retries.

  • Reducing osv.batch-size — sends smaller batches to the OSV API if large batches trigger rate limiting.