fix: reject unknown ecosystems instead of silently defaulting to pypi

2026-05-11 19:59:47 +03:00
parent a6cd20e41c
commit fb5559b8b7
3 changed files with 25 additions and 5 deletions
--- a/guarddog_nexus/routes/webhooks.py
+++ b/guarddog_nexus/routes/webhooks.py
@@ -10,7 +10,6 @@ from fastapi import APIRouter, BackgroundTasks, Header, HTTPException, Request,

 from ..config import config
 from ..constants import (
-    DEFAULT_ECOSYSTEM,
    METADATA_PATTERNS,
    PACKAGE_EXTENSIONS,
    RELEVANT_WEBHOOK_ACTIONS,
@@ -50,7 +49,7 @@ def _extract_asset_path(asset: dict) -> str | None:
    return None


-def _detect_ecosystem(source: dict) -> str:
+def _detect_ecosystem(source: dict) -> str | None:
    """Detect ecosystem from asset or component format field."""
    fmt = source.get("format", "").lower()
    if fmt in ("pypi", "pip", "python"):
@@ -59,7 +58,7 @@ def _detect_ecosystem(source: dict) -> str:
        return "go"
    if fmt in ("npm", "node"):
        return "npm"
-    return DEFAULT_ECOSYSTEM
+    return None


@router.post("/nexus")
@@ -121,6 +120,8 @@ async def nexus_webhook(

        download_url = asset.get("downloadUrl") or _build_download_url(repository, asset_path)
        ecosystem = _detect_ecosystem(asset)
+        if ecosystem is None:
+            return {"status": WEBHOOK_STATUS_IGNORED, "reason": "unknown_ecosystem"}

        log.info("Webhook: %s asset %s (%s) in %s", action, asset_path, ecosystem, repository)

@@ -145,6 +146,9 @@ async def nexus_webhook(
            }

        ecosystem = _detect_ecosystem(component)
+        if ecosystem is None:
+            return {"status": WEBHOOK_STATUS_IGNORED, "reason": "unknown_ecosystem"}
+
        background_tasks.add_task(_scan_component, repository, name, version, ecosystem)
        return {
            "status": WEBHOOK_STATUS_ACCEPTED,