Data quality issue with VSCode Extension Unique Identifiers (hyperlinks in https://osv.dev/vulnerability/ ... )

[devex-luis]

Example: https://osv.dev/vulnerability/MAL-2025-191167

The reports produced for the VSCode ecosystem does not use the correct unique identifiers for the vscode extensions sourced from the openvsx registry and when you click on the hyperlink as: https://open-vsx.org/SIRILMP.dark-theme-sm (I believe is embedded in the JSON response), you will not be able to view the openvsx marketplace entry for it

VSCode marketplace unique identifier: <publisher.name-of-extension>

OpenVSX marketplace unique identifier: <publisher/name-of-extension>

• In the openvsx registry, the eclipse foundation uses the concept of a {workspace} for each publisher

[devex-luis]

Please add the data_quality label, sorry.

[github-actions]

✨ Thank you for your interest in OSV.dev's data quality! ✨

Please review our FAQ entry on how to most efficiently have this addressed.

[michaelkedar]

Hi,
I'm not sure I understand the issue. I don't think I see that hyperlink generated anywhere on the OSV.dev website nor in the JSON response.
The use of . in the identifier is as is specified in the osv-schema (though, maybe it's a bit ambiguous):

The Visual Studio Code extensions ecosystem; the name is the <publisher>.<name> string which uniquely identifies a package. This identifier is composed from the Publisher and Id attributes of the Identity element in the package’s .vsixmanifest file. It also corresponds to the itemName parameter of the package as found on the Visual Studio Marketplace for VS Code extensions page, or the namespace and name fields of the OpenVSX API response for the target package.

[devex-luis]

The screenshot here is from the OSV vulns database, where the VSCode ecosystem has been selected. I will clarify that it is not a link, per se and what I'm trying to highlight is that the unique identifier of the extension in the VSCode Marketplace is correct (e.g., using the "." between the publisher and the name of the extension). However, in openvsx, you can't copy and paste this and land on the entry for this extension to get more details about it. That is because they use namespace and it uses a different format.

Here are two examples:

In the VSCode Marketplace, you see that you can access this extension like this: https://marketplace.visualstudio.com/items?itemName=SIRILMP.dark-theme-sm (i.e., SIRILMP.dark-theme-sm) is correct and it is applicable for VSCode Public Marketplace (from Microsoft)

In the OpenVSX registry marketplace, you see that you can't access the entry same way as above. Instead, you have to use this: https://open-vsx.org/extension/SIRILMP/dark-theme-sm. In the screenshot attached, you have appended the open-vsx.org/ prefix to a format that doesn't apply to things hosted in OpenVSX.

Two Possibilities to fix (depending on the version that has the vulns, and where it is published):

• Use VSCode:https://marketplace.visualstudio.com/items?itemName=
• Use VSCode:https://openv-vsx.org/extension/

[michaelkedar]

Oh, I see!
These strings are actually not intended to be URLs - they are in the format <ecosystem>/<package> e.g. npm/jquery
It's unfortunate in this case the ecosystem is VSCode:https://open-vsx.org so it looks like a URL when put together.
I'll have a think about how we can format these strings better to avoid this confusion.
Thanks for pointing this out!

Otherwise, I believe using . to delimit the namespace and name in the OSV's affected[].package.name field is how the schema says to do it, so I don't believe any change is necessary there.

[devex-luis]

Yes! You're welcome! And I understand that they're not intended to be URLs and that it is what the OSV schema is defined as.

[michaelkedar]

I've created #4515 to explain the website rendering issue in more detail, so I'm marking this issue as closed as there is nothing else to be done.