osv-scanner icon indicating copy to clipboard operation
osv-scanner copied to clipboard
verified publisher icon google

Detecting yanked versions

Open jayvdb opened this issue 1 year ago • 2 comments

osv-scanner doesnt detect yanked versions, such as yanked crate version https://crates.io/crates/url/2.5.3

deps.dev knows this version is deprecated - see https://deps.dev/cargo/url/2.5.3

There is no CVE listed for this https://osv.dev/list?q=url&ecosystem=crates.io

But given that https://github.com/servo/rust-url/pull/999 is the only PR in v2.5.4 , and it landed in v2.5.3 , there is a good chance that it is the problem.

And very likely that problem is a large one, probably even CVE territory.

And that is commonly why versions are yanked - a problem is found & fixed before a CVE has been created.

And because it is a yanked version, quite likely nobody will invest in creating a CVE.

Note https://github.com/EmbarkStudios/cargo-deny does detect yanked versions in the lock file, and most Rust projects will be using cargo-deny (however I am often asked why we use both cargo-deny and osv-scanner), so it isnt an urgent problem for me. cargo deny output (in red!)

error[yanked]: detected yanked crate (try `cargo update -p url`)
    ┌─ /home/jayvdb/work/rosalind/Cargo.lock:726:1
    │
726 │ url 2.5.3 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ yanked version

That said, the tooling for other ecosystems may not be tuned to treat yanked versions as probable CVEs. NPM's left-pad yanking problem probably still has many people wary of trusting yanks ("unpublish"), so it would be good IMO to have osv-scanner detecting & reporting these.

There is a bit of overlap with https://github.com/google/osv.dev/issues/2407

jayvdb avatar Nov 25 '24 19:11 jayvdb

Hello! I would like to contribute to this issue. Could you please assign it to me? Thank you!

sureshkrishnan-v avatar Dec 06 '24 13:12 sureshkrishnan-v

@sureshkrishnan-v feel free to work on this issue!

cuixq avatar Dec 09 '24 00:12 cuixq

Hi, thanks for your patience!

We've implemented the feature by adding a more generic Deprecated field to Package. It can represent various states such as yanked (Cargo, PyPI), unpublished (npm), and deprecated (npm).

It'll be available in the next release of osv-scanner, which is coming out later this week.

Ly-Joey avatar Nov 18 '25 03:11 Ly-Joey

Apologies! It's delayed to the next release, as we need to get it working for all our output formats!

another-rex avatar Nov 19 '25 03:11 another-rex