advisory-database
advisory-database copied to clipboard
Published
20 hours ago •
github
github
question: how handle `affected[].ranges[].events` + `affectedversions-field`
trafficstars
Description
Hello! Thanks for your work!
I found 1 confusing case:
https://github.com/advisories/GHSA-h4j7-5rxr-p4wc advisory contains affected[].ranges[].events + affectedversions-field:
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.Build.Tasks.Core"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "17.13.9"
},
{
"fixed": "17.14.8"
}
]
}
],
"versions": [
"17.13.9"
]
}
OSV schema says:
affected[].versions field
The affected object’s versions field is a JSON array of strings. Each string is a single affected version in whatever version syntax is used by the given package ecosystem.
...
affected[].ranges[].events fields
The ranges object’s events field is a JSON array of objects. Each object describes a single version that either:
Introduces a vulnerability: {"introduced": string}
Fixes a vulnerability: {"fixed": string}
IIUC it means that affected versions are >=17.13.9 < 17.14.8 range + 17.13.9 version.
But this range contains 17.13.9 so it means that affected versions are >=17.13.9 < 17.14.8 range
GitHub UI shows the following versions:
This is correct for microsoft information - https://github.com/dotnet/msbuild/issues/118469 But this is not equal OSV file.
Can you help to understand this case? Perhaps i am missing something.
Best Regards, Dmitriy
Related Issues:
- https://github.com/aquasecurity/trivy-db/issues/544
