We currently place a lot of trust in our data sources to not publish bad data outside of their jurisdiction.
Nearly all data sources should only actually publish for 1 or 2 ecosystems.
We should add a list of expected ecosystems to our SourceRepository / source.yaml and filter out affected[] for things that do not match when we ingest.
GHSA & Malicious Packages would need an exception, since we trust them to publish for most ecosystems anyway.
Similarly, we might want to restrict alias computation for some ecosystems that may be misusing the aliases field and causing unnecessary linkages between records.
We currently place a lot of trust in our data sources to not publish bad data outside of their jurisdiction.
Nearly all data sources should only actually publish for 1 or 2 ecosystems.
We should add a list of expected ecosystems to our SourceRepository / source.yaml and filter out
affected[]for things that do not match when we ingest.GHSA & Malicious Packages would need an exception, since we trust them to publish for most ecosystems anyway.
Similarly, we might want to restrict alias computation for some ecosystems that may be misusing the aliases field and causing unnecessary linkages between records.