Skip to content

[pull] main from guacsec:main#208

Merged
pull[bot] merged 6 commits into
trustification:mainfrom
guacsec:main
Jul 14, 2026
Merged

[pull] main from guacsec:main#208
pull[bot] merged 6 commits into
trustification:mainfrom
guacsec:main

Conversation

@pull

@pull pull Bot commented Jul 14, 2026

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

mrrajan and others added 6 commits July 14, 2026 07:35
Add ProxyOptions::auto() to FetchOptions in GitWalker so that libgit2
honors HTTP_PROXY/HTTPS_PROXY environment variables when cloning
repositories. Without this, git-based importers (CVE, OSV-GitHub) fail
with connection timeouts in proxy-required environments because libgit2
defaults to GIT_PROXY_NONE.

The reproducer test uses a subprocess trampoline to verify proxy
settings are honored without modifying process-global environment
variables.

Implements TC-5174

Assisted-by: Claude Code
The test's maintenance cost outweighs the regression risk for a 3-line
proxy fix: it depends on network access to an external GitHub repository,
its stderr assertion is fragile across platforms, and the subprocess
trampoline is disproportionately complex. The git2 FetchOptions API does
not expose proxy state, so there is no clean way to unit-test the
configuration without hitting the network. This is consistent with
HTTP-based importers (reqwest), which also rely on implicit proxy
auto-detection with no proxy-specific tests.

Implements TC-5176

Assisted-by: Claude Code
Introduce a JsonSource trait that abstracts over JSON input sources
(&[u8] and serde_json::Value), allowing loaders to accept pre-parsed
Values without needing separate methods. Refactor CyclonedxLoader to
use the trait, extracting post-parse logic into a private ingest method.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…DocumentDetector

Introduce `DocumentDetector` that replaces the old `Format::from_bytes()` +
`Format::load()` stateless pipeline with a stateful detect-and-parse approach:

1. Detect wire format (JSON/YAML/XML) from the first non-whitespace byte
2. Parse into `serde_json::Value` (JSON and YAML) or keep raw bytes (XML)
3. Detect content type via cheap key lookups on the Value
4. Parse the Value all the way to the domain type (Csaf, Cve, etc.)
5. Return the fully-parsed document in a `DetectedDocument` enum

This eliminates double-parsing (detect then re-parse from scratch) and removes
the `jsn` streaming dependency. The `Format` enum is stripped down to just its
type definition, category matching, and serde impls.

Key changes:
- New `detect.rs` module with `DocumentDetector`, `WireFormat`, `DetectedDocument`
- `IngestorService::ingest` and `DatasetLoader` wired to use `DocumentDetector`
- `extract_sbom_purls` (UI module) switched to `DocumentDetector`
- `Format` enum cleaned up: removed all detection/loading methods
- `jsn` dependency removed from workspace
- Criterion benchmarks added for detection performance

Assisted-by: Claude Code

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When detect_as() receives a concrete format hint (e.g. CSAF) but the
wire format is XML, return UnsupportedFormat instead of silently creating
a CweCatalog document. This prevents format()/load() mismatch.

Addresses review feedback from sourcery-ai.

Assisted-by: Claude Code

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add doc comment to WireFormat enum explaining which content formats are
valid for each wire format (JSON/YAML/XML).

Addresses review feedback from sourcery-ai.

Assisted-by: Claude Code

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@pull pull Bot locked and limited conversation to collaborators Jul 14, 2026
@pull pull Bot added the ⤵️ pull label Jul 14, 2026
@pull
pull Bot merged commit 43a9314 into trustification:main Jul 14, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants