Disable network retries in tests to fail fast on missing cassettes

If a VCR cassette or a specific interaction is missing, the OSV client
would previously retry the request 4 times with exponential backoff,
causing significant delays in test execution (over 20 seconds).

This change disables retries by setting MaxNetworkQueryAttempts to 1 when
running in a test environment (detected via testing.Testing()).
This allows tests to fail immediately (~0.02s) when a cassette or
interaction is missing.

- Added MaxNetworkQueryAttempts to osvscanner.ExperimentalScannerActions
- Configured osvmatcher to use MaxNetworkQueryAttempts
- Automatically set MaxNetworkQueryAttempts to 1 in CLI tests

Author: another-rex

cmd/osv-scanner/internal/helper/getters.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"net/http"
 	"strings"
+	"testing"
 
 	"github.com/google/osv-scanner/v2/internal/spdx"
 	"github.com/google/osv-scanner/v2/pkg/osvscanner"
@@ -50,11 +51,19 @@ func GetCommonScannerActions(cmd *cli.Command, scanLicensesAllowlist []string) o
 }
 
 func GetExperimentalScannerActions(cmd *cli.Command, client *http.Client) osvscanner.ExperimentalScannerActions {
+	maxNetworkQueryAttempts := 0
+	if testing.Testing() {
+		// In tests, we want to fail fast on missing VCR cassettes or missing interactions.
+		// Setting MaxNetworkQueryAttempts to 1 means only the initial attempt is made (0 retries).
+		maxNetworkQueryAttempts = 1
+	}
+
 	return osvscanner.ExperimentalScannerActions{
 		PluginsEnabled:         cmd.StringSlice("experimental-plugins"),
 		PluginsDisabled:        cmd.StringSlice("experimental-disable-plugins"),
 		PluginsNoDefaults:      cmd.Bool("experimental-no-default-plugins"),
 		HTTPClient:             client,
+		MaxNetworkQueryAttempts: maxNetworkQueryAttempts,
 		FlagDeprecatedPackages: cmd.Bool("experimental-flag-deprecated-packages"),
 	}
 }

internal/clients/clientimpl/osvmatcher/osvmatcher.go

@@ -45,13 +45,22 @@ type OSVMatcher struct {
 	InitialQueryTimeout time.Duration
 }
 
-func New(initialQueryTimeout time.Duration, userAgent string, httpClient *http.Client) *OSVMatcher {
+// New creates a new OSVMatcher.
+// maxNetworkQueryAttempts specifies the maximum number of attempts for a network request (including the initial attempt).
+// A value of 1 means only the initial attempt is made (0 retries).
+// If set to 0, the default number of attempts from the underlying client (4) will be used.
+func New(initialQueryTimeout time.Duration, userAgent string, httpClient *http.Client, maxNetworkQueryAttempts int) *OSVMatcher {
 	if httpClient == nil {
 		httpClient = http.DefaultClient
 	}
 
 	config := osvdev.DefaultConfig()
 	config.UserAgent = userAgent
+	if maxNetworkQueryAttempts > 0 {
+		// osvdev.Config.MaxRetryAttempts actually controls the maximum number of attempts,
+		// where 1 means 1 attempt (0 retries).
+		config.MaxRetryAttempts = maxNetworkQueryAttempts
+	}
 
 	return &OSVMatcher{
 		Client: osvdev.OSVClient{

pkg/osvscanner/osvscanner.go

@@ -79,6 +79,12 @@ type ExperimentalScannerActions struct {
 
 	HTTPClient *http.Client
 
+	// MaxNetworkQueryAttempts specifies the maximum number of attempts for a network request.
+	// This includes the initial attempt.
+	// A value of 1 means only the initial attempt is made (0 retries).
+	// If set to 0, the default number of attempts from the underlying client will be used.
+	MaxNetworkQueryAttempts int
+
 	// Report deprecated packages as findings
 	FlagDeprecatedPackages bool
 
@@ -138,7 +144,7 @@ func initializeExternalAccessors(actions ScannerActions) (ExternalAccessors, err
 	// Online Mode
 	// -----------
 	// --- Vulnerability Matcher ---
-	externalAccessors.VulnMatcher = osvmatcher.New(5*time.Minute, userAgent, actions.HTTPClient)
+	externalAccessors.VulnMatcher = osvmatcher.New(5*time.Minute, userAgent, actions.HTTPClient, actions.MaxNetworkQueryAttempts)
 
 	// --- License Matcher ---
 	if len(actions.ScanLicensesAllowlist) > 0 || actions.ScanLicensesSummary {