@@ -364,6 +364,23 @@ def patch_advisory(osv_id: str, sa_advisory: drupal.Advisory) -> bool:
364364 return False
365365
366366
367+ def fetch_drupal_packages_available_on_packagist () -> list [str ]:
368+ """
369+ Fetches a list of all Drupal packages that are available on packagist.org
370+ """
371+ resp = requests .get ('https://packagist.org/packages/list.json?vendor=drupal' )
372+
373+ if resp .status_code != 200 :
374+ raise Exception (
375+ f'unexpected response when fetching list of drupal packages available on packagist.org: { resp .status_code } '
376+ )
377+
378+ return typing .cast (list [str ], resp .json ()['packageNames' ])
379+
380+
381+ drupal_packages_available_on_packagist = fetch_drupal_packages_available_on_packagist ()
382+
383+
367384def unix_timestamp_to_rfc3339 (unix : int ) -> str :
368385 return datetime .fromtimestamp (int (unix ), tz = UTC ).strftime ('%Y-%m-%dT%H:%M:%S.000Z' )
369386
@@ -391,6 +408,14 @@ def build_osv_advisory(
391408 print (' \\ - ' + text_is .notice ('skipping as we do not have any affected versions' ))
392409 return None
393410
411+ composer_package_name = determine_composer_package_name (sa_advisory )
412+
413+ ecosystem = 'Packagist'
414+
415+ # record the Composer repository the affected package is sourced from
416+ if composer_package_name not in drupal_packages_available_on_packagist :
417+ ecosystem += ':https://packages.drupal.org/8'
418+
394419 osv_advisory : osv .Vulnerability = {
395420 'schema_version' : '1.7.0' ,
396421 'id' : osv_id ,
@@ -401,8 +426,8 @@ def build_osv_advisory(
401426 'affected' : [
402427 {
403428 'package' : {
404- 'ecosystem' : 'Packagist' ,
405- 'name' : determine_composer_package_name ( sa_advisory ) ,
429+ 'ecosystem' : ecosystem ,
430+ 'name' : composer_package_name ,
406431 },
407432 # todo: figure out how to map field_sa_criticality to severity
408433 # https://ossf.github.io/osv-schema/#severitytype-field
0 commit comments