Document the treatment of the GIT ecosystem

[yashrsharma44]

Describe the bug

While checking the zip file which contains all the vulns in the feed, some of them are missing from the zip file.
For instance -

GSD-2022-1001781

I can see them in the feed - https://osv-vulnerabilities.storage.googleapis.com/GIT/GSD-2022-1001781.json, but for some reason, they are missing from the zip file

To Reproduce
Steps to reproduce the behaviour:
Already shared in the error description

Expected behaviour
Vulnerability should be present
Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

[andrewpollock]

This recently confused me as well and there's an opportunity here to make the handling of this clearer in the documentation, and perhaps even as a README embedded in the zip file itself, to ensure discoverability...

Basically, the GIT ecosystem is a "synthetic" ecosystem, conditionally added at import time:

osv.dev/osv/models.py

Lines 378 to 387 in f860e73

	# Only attempt to add the Git ecosystem if
	# there are no existing ecosystems present
	if not ecosystems_set:
	for pkg in self.affected_packages:
	for r in pkg.ranges:
	if r.type == 'GIT':
	ecosystems_set.add('GIT')
	break
	if 'GIT' in ecosystems_set:
	break

If you look at https://osv-vulnerabilities.storage.googleapis.com/GIT/GSD-2022-1001781.json, you'll note the ecosystem named there is Linux, so because there's already an ecosystem present, one isn't synthesized for this record.

In other words, you'll find this particular record in the Linux ecosystem export, not the GIT one, which I agree is somewhat weird and violates the principle of least surprise. Apologies for this user experience.

[yashrsharma44]

Ahh, didn't knew about the assumption, that GIT feed doesn't contain feeds from "Linux" ecosystem. Thanks for letting me know!

[yashrsharma44]

Keeping this open, for tracking the documentation issue though.