Scan submission silently filters unknown-provider calls
Severity: Medium
Affected repos: extension
Component boundary: extension scan-results → API
Symptom
Before submitting a scan, the extension drops every apiCalls entry whose provider cannot be resolved (after the URL-based detection fallback). The user is not told. The result: a project with calls to a niche provider (or a self-hosted endpoint, or a typo'd hostname) shows fewer endpoints than the user can see in their own code.
Evidence
extension/src/webview-provider.ts — shouldSubmitRemote() and the call-site filter pass drop unknown-provider entries before POSTing.- No log line, no toast, no entry in the output channel.
Impact
- "Why does my scan show 12 endpoints when I have 20 outbound calls in my code?" with no explanation visible to the user.
- Loss of trust in scan accuracy.
Fix recommendation
Don't silently drop. Either:
- Submit unknown-provider calls with
provider: "unknown" and let the API accept them (already happens to a degree). Display them in the dashboard under a "Unknown / unrecognized" bucket.
- Surface a one-line summary at the end of the scan:
"Scanned 20 calls. 8 dropped: hostname not recognized (acme.io: 5, internal.example: 3)."
Option 1 is the better long-term answer — every detected call is information, even if uncosted.
Verification
- Scan a workspace containing a
fetch("https://acme.fictional/data") call.
- Confirm either: (a) the call appears in the dashboard with
provider: "unknown", or (b) a clear message in the scan summary explains it was dropped and why.
Scan submission silently filters unknown-provider calls
Severity: Medium
Affected repos:
extensionComponent boundary: extension scan-results → API
Symptom
Before submitting a scan, the extension drops every
apiCallsentry whoseprovidercannot be resolved (after the URL-based detection fallback). The user is not told. The result: a project with calls to a niche provider (or a self-hosted endpoint, or a typo'd hostname) shows fewer endpoints than the user can see in their own code.Evidence
extension/src/webview-provider.ts—shouldSubmitRemote()and the call-site filter pass drop unknown-provider entries before POSTing.Impact
Fix recommendation
Don't silently drop. Either:
provider: "unknown"and let the API accept them (already happens to a degree). Display them in the dashboard under a "Unknown / unrecognized" bucket."Scanned 20 calls. 8 dropped: hostname not recognized (acme.io: 5, internal.example: 3)."Option 1 is the better long-term answer — every detected call is information, even if uncosted.
Verification
fetch("https://acme.fictional/data")call.provider: "unknown", or (b) a clear message in the scan summary explains it was dropped and why.