celek

@hdonnay @crozzy - I am looking into providing a PR for it - Should I look here ? https://github.com/quay/claircore/blob/main/rhel/rhcc/updater.go or https://github.com/quay/claircore/blob/main/rhel/rhcc/rhcc.go Should we update the repo_name or can I update...

@hdonnay looking at the code - I am not sure why it does not take the Introduced from the second range... looking at the code, this ``` "ranges":[{"type": "SEMVER", "events":...

I tested and the NewVersion works @hdonnay @crozzy do you think the issue then is ``` vulnerable_range column I believe only accepts integers. So in this case, we would need...

@hdonnay thanks - trying to figure out why ``` SELECT name, package_name, fixed_in_version, vulnerable_range FROM public.vuln WHERE name = 'GHSA-q4q5-c5cv-2p68' AND fixed_in_version LIKE '%fixed=%' ORDER BY id ASC LIMIT 1...

Got it - analysis ``` SELECT name,package_name,repo_name,fixed_in_version,vulnerable_range,version_kind FROM public.vuln WHERE name = 'GHSA-q4q5-c5cv-2p68' ``` |name|package_name|repo_name|fixed_in_version|vulnerable_range|version_kind| |-----|------|-----|-----|-----|----| |"GHSA-q4q5-c5cv-2p68"| "pkg:npm/vuetify"| "npm"| "2.6.10"| "[""{0,2,0,0,0,0,0,0,0,0}"",""{0,2,6,10,0,0,0,0,0,0}"")"| "semver"| |"GHSA-q4q5-c5cv-2p68" |"org.webjars.npm:vuetify"| "npm" |"fixed=2.6.10&introduced=2.0.0-beta.4" |"empty" | | https://api.osv.dev/v1/vulns/GHSA-q4q5-c5cv-2p68...

SELECT name,package_name,repo_name,fixed_in_version,vulnerable_range,version_kind FROM public.vuln WHERE name = 'GHSA-67hx-6x53-jw92' |name|package_name|repo_name|fixed_in_version|vulnerable_range|version_kind| |-----|------|-----|-----|-----|----| |"GHSA-67hx-6x53-jw92"| "pkg:npm/%40babel/traverse"| "npm"| "7.23.2" |"empty" | | |"GHSA-67hx-6x53-jw92" |"pkg:npm/%40babel/traverse"| "npm" |"8.0.0-alpha.4"| "empty"| "semver"| https://api.osv.dev/v1/vulns/GHSA-67hx-6x53-jw92 ``` "affected": [ { "package": {...

interesting - maybe the issue is is that the introduced == fixedin in case I remove -alpha - I need to check

Ok so what should this one become ? ``` "type": "SEMVER", "events": [ { "introduced": "8.0.0-alpha.0" }, { "fixed": "8.0.0-alpha.4" }, ], ``` should it be |name|package_name|repo_name|fixed_in_version|vulnerable_range|version_kind| |-----|------|-----|-----|-----|----| |"GHSA-67hx-6x53-jw92" |"pkg:npm/%40babel/traverse"|...

we might hit this if both upper and lower are the same in this unique case ``` func rangefmt(r *claircore.Range) (kind *string, lower, upper string) { lower, upper = "{}",...

I am going to implement as follow ```Yes, if the version contains non-numeric components it can't get normalized into claircore's range type. It should still be encoded in the "FixedInVersion".```...