Question: How to scan against the GIT ecosystem?

[landesfeind]

The OSV.dev database contains CVEs published through Github advisories in the Git ecosystem. When trying to scan dependencies of a project in this ecosystem, the scanning fails with { "code": 3, "message": "Invalid ecosystem" }.

Is this because of "GIT" not being a well-supported ecosystem by definition of the Open Source Vulnerability format? Is there a way to mitigate this?

Minimal working example

osv-scanner --lockfile=osv-scanner:mwe.json

where mwe.json contains

{ 
  "results": [
    {
      "packages": [
        {
          "package": {
            "ecosystem": "GIT",
            "name": "github.com/typo3/typo3",
            "version": "v10.0.0"
          }
        }
      ]
    }
  ]
}

This should result in the reporting of (at least) CVE-2024-34537.

$ osv-scanner --version
osv-scanner version: 1.9.0
commit: 1386406b64edd4544696183f273139ef9298f5df
built at: 2024-10-02T05:22:27Z

For completeness, using purl instead does not solve the problem because then the package is filtered out as a "local" package. Here is the mwe for that:

{ 
  "results": [
    {
      "packages": [
        {
          "package": {
            "purl": "pkg:github/typo3/typo3@v10.0.0"
          }
        }
      ]
    }
  ]
}

[landesfeind]

I think it is related to this discussion in the osv.dev repo and I will follow up there.