Skip to content

Don't scan local packages #583

Description

@ruromero

When a package url references a local repository (i.e. repository_url=local) it will not be sent to the vulnerability providers because it can cause inaccurate reports. Even if the purl exists it might've been modified or not correspond to the published package.

This will happen mainly for rust projects in Cargo.toml files using local paths

Related to guacsec/trustify-da-javascript-client#411

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions