-
Notifications
You must be signed in to change notification settings - Fork 336
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support limit
and last_affected
range events
#470
Comments
@nscuro thank you for bringing this up. The |
For additional context, the work we have scheduled will allow us to transform upper bound inclusive ranges (i.e. |
We will also continue to use it for ranges where the upper bound inclusive |
@chrisbloom7 Thanks so much for the quick and thorough response! Good to know that However, I'm wondering whether the |
TL;DR: The non-standard field causes issues for anyone trying to produce or consume OSV data. Please prioritize the migration to the Right now GHSA data exported to OSV causes numerous false positives, if parsed according to the spec. This makes all OSV data about crates.io unusable, unless special measures are taken to filter out GHSA data or support the custom extension field. Which in turn makes any tools consuming crates.io data from OSV unusable at present - which includes big-name tools such as Trivy. |
Hi all, thanks for your feedback on this! We will be prioritizing this update in the coming weeks. I'll post again here when it is shipped! |
Hi all, this fix is now shipped! Existing OSV JSON files won't have the new field yet until they are regenerated, but new ones will start to use it. I'll go ahead and close this issue as a result. Thanks everyone for driving us forward in resolving this. |
Is re-generation of the existing files planned? It's great that the new files are not affected, but the existing ones still cause false positives when parsed according to the OSV standard. |
@Shnatsel yes indeed, we have a nightly job that will resync 25,000 at a time so they'll all be regenerated with the new format over the next week. |
Hello @KateCatlin We have a problem with missing Thanks in advance for your answer and thanks for what you do! Best Regards, Dmitriy |
Hi @DmitriyLewen. @KateCatlin asked me to follow up with you. There are still two scenarios in which we must use that custom field, and the two example OSV files you cited hit both of them. It's helpful to preface any explanation by saying that the reason we use a database specific field at all is because we try to keep our translations between OSV and our internal format as lossless as possible since we both write to and read from that format for the purposes of community contributions, and because the OSV schema doesn't support all of the potential ways we represent version ranges internally. In GHSA-32qq-m9fh-f74w, we use it because the affected range uses the upper bound exclusive operator In GHSA-543v-gj2c-r3ch, we use it because the vulnerability's upper bound inclusive affected version range of EDIT: Added then removed then re-added a 4th footnote; added some additional info about the ranges. Footnotes
|
Hello @chrisbloom7 I got all needed information! Best Regards, Dmitriy |
I came across the guava vulnerability GHSA-5mg8-w23w-74h3 for which GHSA declares the affected version range as
<= 29.0
.In OSV however, this is represented as:
Given the constraint
<= 29.0
, I would've expected the following:The current situation makes automated processing unnecessarily hard. If I rely on the
ECOSYSTEM
range, I'll trigger lots of false positives due to it indicating a>0
constraint.database_specific
is not intended to influence vulnerability evaluation according to the spec. This is also visible when inspecting the (auto-generated) Affected versions section on OSV's website: https://osv.dev/vulnerability/GHSA-5mg8-w23w-74h3At the moment, there are about 1990 advisories affected by this:
google/osv.dev#474 (comment) already hinted that GHSA currently does not support the
limit
orlast_affected
events. Is it planned to be addressed anytime soon?The text was updated successfully, but these errors were encountered: