fix(scanner): scope OpenVSX extension OSV lookups to marketplace ecosystem#749
Merged
KunalSin9h merged 2 commits intoJul 2, 2026
Merged
Conversation
…ystem Pass explicit OsvEcosystem values when enriching VS Code and OpenVSX extension packages via Insights API v2. Without this scoping, npm malware advisories with colliding package names were incorrectly applied to OpenVSX extensions during vet scan --vsx. Fixes safedep#730 Signed-off-by: syf2211 <syf2211@users.noreply.github.com>
SafeDep Report SummaryNo dependency changes detected. Nothing to scan. This report is generated by SafeDep Github App |
Member
|
@KunalSin9h Can you please review this. Looks like an important fix. |
Member
|
@syf2211 go linter is failing, please fix that. Error: pkg/scanner/enrich_insightsv2_test.go:56:1: File is not properly formatted (gci)
Manifest: models.NewPackageManifestFromLocal("lib/apk/db/installed", ecosystem),
^
1 issues:
* gci: 1
not a big deal, if you can't then leave it. |
Contributor
Author
|
Fixed the gci formatting issue in enrich_insightsv2_test.go (struct field alignment). Pushed in 966a815. |
KunalSin9h
approved these changes
Jul 2, 2026
KunalSin9h
left a comment
Member
There was a problem hiding this comment.
@syf2211 thanks for contribtion.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Summary
Scope Insights API v2 vulnerability lookups for VS Code and OpenVSX extension packages to their marketplace-specific OSV ecosystems, preventing npm malware advisories with colliding package names from being applied to extensions during
vet scan --vsx.Motivation
Fixes #730. When scanning OpenVSX extensions (e.g.
llvm-vs-code-extensions.vscode-clangd), vet could incorrectly flag them as verified npm malware because OSV lookups were not scoped to the extension marketplace. The underlying npm package with a similar name is unrelated to the OpenVSX extension.OSSF malicious-packages uses separate OSV ecosystems:
vscode— VS Code Marketplacevscode:open-vsx.org— OpenVSX registryChanges
models.GetOsvEcosystem()mapping internal extension ecosystems to OSV identifiersbuildInsightsV2Request()and passOsvEcosystemfor extension packages in Insights API v2 enrichmentTests
Result: all tests passed.
Notes
OsvEcosystemfor malware/OSV lookups (same field already used for distro scoping).vet scan --vsxagainst a live machine with the reported extension installed (no local extension fixtures with the collision case).