osv.dev icon indicating copy to clipboard operation
osv.dev copied to clipboard
verified publisher icon google

vulnfeeds/cmd/alpine: do not generate fixed versions with a zero value

Open hogo6002 opened this issue 1 year ago • 4 comments

The CVE ID https://osv.dev/vulnerability/CVE-2024-32760

Describe the data quality issue observed The Alpine package shows both introduced and fixed versions as 0 Screenshot 2024-06-06 at 2 05 02 PM

Suggested changes to record This might be due to an upstream issue, as https://security.alpinelinux.org/vuln/CVE-2024-32760 shows no "vulnerable or fixed packages". Should we exclude these types of Alpine entries from conversion?

Additional context It happens to all the Alpine entries we imported last week. Screenshot 2024-06-06 at 2 04 02 PM

hogo6002 avatar Jun 06 '24 04:06 hogo6002

:sparkles: Thank you for your interest in OSV.dev's data quality! :sparkles:

Please review our FAQ entry on how to most efficiently have this addressed.

github-actions[bot] avatar Jun 06 '24 04:06 github-actions[bot]

Looking at the generated input for this record I think there's a few things to address here:

  • Alpine conversion should not emit a zero fixed version, that's invalid
  • combine-to-osv should not produce a "null" range (that's also a violation of what's proposed in #2193)

I'll retitle this to reflect the root cause and file a separate issue for combine-to-osv

andrewpollock avatar Jun 20 '24 01:06 andrewpollock

poc?

limeitnagorm avatar Jul 02 '24 13:07 limeitnagorm

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.

github-actions[bot] avatar Sep 24 '24 05:09 github-actions[bot]