osv.dev icon indicating copy to clipboard operation
osv.dev copied to clipboard

Published 20 hours ago verified publisher icon google

data: "fixed" before "introduced" is very odd

Open hdonnay opened this issue 2 years ago • 2 comments
trafficstars

The osv representation of GHSA-28f8-hqmc-7ph8 represents the version constraints as:

     "ranges": [
        {
          "type": "SEMVER",
          "events": [
            {"introduced": "1.0.8"},
            {"fixed": "1.0.7"}
          ]
        }
      ],

This seems wrong -- you can't fix something before it's introduced. This is more akin to blocklisting a release. Shouldn't this be represented as something like {"introduced": "1.0.8"},{"limit":"1.0.8"} ?

hdonnay avatar Feb 20 '23 12:02 hdonnay

Hi! Thanks for raising this. Looks like this is an issue on GitHub's side. I've opened https://github.com/github/advisory-database/pull/1712 to address this.

oliverchang avatar Feb 20 '23 23:02 oliverchang

+1, thank you for raising this. I'm working on #771 and I hadn't considered this particular scenario, so it's a very timely callout.

andrewpollock avatar Feb 21 '23 02:02 andrewpollock

This issue has not had any activity for 60 days and will be automatically closed in two weeks

github-actions[bot] avatar Jul 26 '24 18:07 github-actions[bot]

Fine, here's some activity.

hdonnay avatar Jul 26 '24 18:07 hdonnay

I believe this is fixed. In the upstream source, a single specific release is specified to be affected. See https://api.osv.dev/v1/vulns/GHSA-28f8-hqmc-7ph8

another-rex avatar Jul 26 '24 20:07 another-rex