Skip to content

fix(scanner): scope OpenVSX extension OSV lookups to marketplace ecosystem#749

Merged
KunalSin9h merged 2 commits into
safedep:mainfrom
syf2211:fix/730-vsx-cross-ecosystem-pollution
Jul 2, 2026
Merged

fix(scanner): scope OpenVSX extension OSV lookups to marketplace ecosystem#749
KunalSin9h merged 2 commits into
safedep:mainfrom
syf2211:fix/730-vsx-cross-ecosystem-pollution

Conversation

@syf2211

@syf2211 syf2211 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

Scope Insights API v2 vulnerability lookups for VS Code and OpenVSX extension packages to their marketplace-specific OSV ecosystems, preventing npm malware advisories with colliding package names from being applied to extensions during vet scan --vsx.

Motivation

Fixes #730. When scanning OpenVSX extensions (e.g. llvm-vs-code-extensions.vscode-clangd), vet could incorrectly flag them as verified npm malware because OSV lookups were not scoped to the extension marketplace. The underlying npm package with a similar name is unrelated to the OpenVSX extension.

OSSF malicious-packages uses separate OSV ecosystems:

  • vscode — VS Code Marketplace
  • vscode:open-vsx.org — OpenVSX registry

Changes

  • Add models.GetOsvEcosystem() mapping internal extension ecosystems to OSV identifiers
  • Extract buildInsightsV2Request() and pass OsvEcosystem for extension packages in Insights API v2 enrichment
  • Add unit tests for mapping and request construction

Tests

go test ./pkg/models/... ./pkg/scanner/... -run 'TestGetOsvEcosystem|TestBuildInsightsV2Request' -count=1

Result: all tests passed.

Notes

  • This is a client-side scoping fix; control-tower must honor OsvEcosystem for malware/OSV lookups (same field already used for distro scoping).
  • Insights v1 path is unchanged; Insights v2 is the default enrichment path.
  • Did not run a full end-to-end vet scan --vsx against a live machine with the reported extension installed (no local extension fixtures with the collision case).

…ystem

Pass explicit OsvEcosystem values when enriching VS Code and OpenVSX
extension packages via Insights API v2. Without this scoping, npm malware
advisories with colliding package names were incorrectly applied to
OpenVSX extensions during vet scan --vsx.

Fixes safedep#730

Signed-off-by: syf2211 <syf2211@users.noreply.github.com>
@safedep

safedep Bot commented Jun 30, 2026

Copy link
Copy Markdown

SafeDep Report Summary

Green Malicious Packages Badge Green Vulnerable Packages Badge Green Risky License Badge

No dependency changes detected. Nothing to scan.

View complete scan results →

This report is generated by SafeDep Github App

@abhisek abhisek requested a review from KunalSin9h July 1, 2026 04:27
@abhisek

abhisek commented Jul 1, 2026

Copy link
Copy Markdown
Member

@KunalSin9h Can you please review this. Looks like an important fix.

@KunalSin9h

KunalSin9h commented Jul 1, 2026

Copy link
Copy Markdown
Member

@syf2211 go linter is failing, please fix that.

Error: pkg/scanner/enrich_insightsv2_test.go:56:1: File is not properly formatted (gci)
  			Manifest: models.NewPackageManifestFromLocal("lib/apk/db/installed", ecosystem),
  ^
  1 issues:
  * gci: 1

not a big deal, if you can't then leave it.

@syf2211

syf2211 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

Fixed the gci formatting issue in enrich_insightsv2_test.go (struct field alignment). Pushed in 966a815.

@KunalSin9h KunalSin9h left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@syf2211 thanks for contribtion.

@KunalSin9h KunalSin9h merged commit 7993641 into safedep:main Jul 2, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Vet Scan for VsCode Extensions (+OpenVSX) resolving in cross ecosystem result pollution.

3 participants