google
GHSA-c5pj-mqfh-rvc3 Still in osv
GHSA-c5pj-mqfh-rvc3 "Runc allows an arbitrary systemd property to be injected" is a misunderstood vulnerability. Users do NOT need to update runc
https://github.com/opencontainers/runc/issues/4263
but https://storage.googleapis.com/osv-vulnerabilities/index.html?prefix=Go/ Still in osv
The JSON record for GHSA-c5pj-mqfh-rvc3 has it marked as withdrawn:
"id": "GHSA-c5pj-mqfh-rvc3",
"modified": "2024-06-05T18:30:34Z",
"published": "2024-04-26T06:30:34Z",
"withdrawn": "2024-04-30T09:37:23Z",
I believe it is intended that we export withdrawn vulnerabilities.
Edit: Found the relevant FAQ entry: https://google.github.io/osv.dev/faq/#how-does-osvdev-handle-withdrawn-records
:sparkles: Thank you for your interest in OSV.dev's data quality! :sparkles:
Please review our FAQ entry on how to most efficiently have this addressed.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Based on:
https://osv.dev/GHSA-c5pj-mqfh-rvc3 clearly marks the record as withdrawn
and
https://osv.dev/GHSA-c5pj-mqfh-rvc3.json has the withdrawn field set
I don't think there is anything actionable here. As @michaelkedar has pointed out, the behaviour of the withdrawn field is documented in the FAQ so I don't believe there is anything actionable here. Please reopen with specifics if you feel differently.
