Skip to content

fix: map cargo PURL to canonical ecosystem so malware is detected#744

Merged
KunalSin9h merged 1 commit into
mainfrom
fix/cargo-purl-malware-ecosystem
Jun 11, 2026
Merged

fix: map cargo PURL to canonical ecosystem so malware is detected#744
KunalSin9h merged 1 commit into
mainfrom
fix/cargo-purl-malware-ecosystem

Conversation

@KunalSin9h

Copy link
Copy Markdown
Member

vet scan --purl pkg:cargo/... never queried malware analysis for the correct ecosystem. PurlTypeToEcosystem("cargo") returned lockfile.CargoEcosystem ("crates.io"), but GetControlTowerSpecEcosystem switches on vet's model ecosystem constants (EcosystemCargo == "Cargo"), so it fell through to ECOSYSTEM_UNSPECIFIED and the malware query was sent without an ecosystem. Cargo was the only mismatch since other osv-scanner ecosystem strings coincidentally equal vet's model constants.

Map cargo to the canonical model ecosystem, consistent with the existing GitHub Actions / VSCode / OpenVSX entries.

vet scan --purl pkg:cargo/... never queried malware analysis for the
correct ecosystem. PurlTypeToEcosystem("cargo") returned
lockfile.CargoEcosystem ("crates.io"), but GetControlTowerSpecEcosystem
switches on vet's model ecosystem constants (EcosystemCargo == "Cargo"),
so it fell through to ECOSYSTEM_UNSPECIFIED and the malware query was
sent without an ecosystem. Cargo was the only mismatch since other
osv-scanner ecosystem strings coincidentally equal vet's model constants.

Map cargo to the canonical model ecosystem, consistent with the existing
GitHub Actions / VSCode / OpenVSX entries.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@KunalSin9h KunalSin9h requested a review from abhisek June 11, 2026 06:20
@safedep

safedep Bot commented Jun 11, 2026

Copy link
Copy Markdown

SafeDep Report Summary

Green Malicious Packages Badge Green Vulnerable Packages Badge Green Risky License Badge

No dependency changes detected. Nothing to scan.

View complete scan results →

This report is generated by SafeDep Github App

@codecov

codecov Bot commented Jun 11, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 12.41%. Comparing base (d4f819f) to head (5273423).

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #744   +/-   ##
=======================================
  Coverage   12.41%   12.41%           
=======================================
  Files         372      372           
  Lines       49231    49231           
=======================================
  Hits         6114     6114           
  Misses      42632    42632           
  Partials      485      485           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@KunalSin9h KunalSin9h merged commit ed5b09d into main Jun 11, 2026
16 checks passed
@KunalSin9h KunalSin9h deleted the fix/cargo-purl-malware-ecosystem branch June 11, 2026 06:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants