When a package url references a local repository (i.e. repository_url=local) it will not be sent to the vulnerability providers because it can cause inaccurate reports. Even if the purl exists it might've been modified or not correspond to the published package.
This will happen mainly for rust projects in Cargo.toml files using local paths
Related to guacsec/trustify-da-javascript-client#411
When a package url references a local repository (i.e.
repository_url=local) it will not be sent to the vulnerability providers because it can cause inaccurate reports. Even if the purl exists it might've been modified or not correspond to the published package.This will happen mainly for rust projects in
Cargo.tomlfiles using local pathsRelated to guacsec/trustify-da-javascript-client#411