osv.dev icon indicating copy to clipboard operation
osv.dev copied to clipboard
verified publisher icon google

Package versions truncated on `_`

Open olivergondza opened this issue 1 year ago • 2 comments

Describe the bug

The version numbers reported for some of the Jenkins plugins are incorrect.

To Reproduce Steps to reproduce the behaviour:

  1. Go to https://osv.dev/vulnerability/GHSA-62jv-j4w7-5hh8 (or other jenkins plugin vuln, its plugin is using "incrementals" versioning)
  2. Scroll down to 'Affected packages'
  3. The versions reported does not exist. They are truncated on first _ in version number. See https://plugins.jenkins.io/credentials/releases/

Expected behaviour The versions are complete.

Screenshots Image

olivergondza avatar Nov 30 '24 13:11 olivergondza

Thanks for the report!

This looks like a frontend issue. The correct versions are reported via JSON at https://api.osv.dev/v1/vulns/GHSA-62jv-j4w7-5hh8:

        "1055.v1346ba467ba1",
        "1061.vb_1fceb_58fa_18",
        "1074.1076.v39c30cecb_0e2",
        "1074.v60e6c29b_b_44b_",
        "1087.1089.v2f1b_9a_b_040e4",
        "1087.v16065d268466",
        "1105.vb_4e24a_c78b_81",
        "1111.v35a_307992395",
        "1112.vc87b_7a_3597f6",
        "1118.v320cd028cb_a_0",
        "1126.ve05618c41e62",
        "1129.vef26f5df883c",
        "1139.veb_9579fca_33b_",
        "1143.vb_e8b_b_ceee347",
        "1189.vf61b_a_5e2f62e",
        "1214.v1de940103927",
        "1224.vc23ca_a_9a_2cb_0",
        "1236.v31e44e6060c0",
        "1254.vb_96f366e7b_a_d",
        "1268.v3f0d043d60e9",
        "1271.v54b_1c2c6388a_",
        "1290.v2e5b_13eb_b_127",
        "1293.vff276f713473",
        "1304.v5ec13eecef46",
        "1305.v04f5ec1f3743",
        "1307.v3757c78f17c3",
        "1309.v8835d63eb_d8a_",
        "1311.vcf0a_900b_37c2",
        "1317.v0ce519a_92b_3e",
        "1319.v7eb_51b_3a_c97b_",
        "1337.v60b_d7b_c7b_c9f",
        "1344.v5a_3f65a_1e173",
        "1350.v1b_df4d227d1b_",
        "1355.v46f52a_b_98d64",
        "1361.v56f5ca_35d21c",
        "1371.vfee6b_095f0a_3",

oliverchang avatar Dec 01 '24 22:12 oliverchang

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.

github-actions[bot] avatar Jan 30 '25 23:01 github-actions[bot]

@oliverchang I believe the original issue likely meant the "fixed" version field being truncated on underscores (showing 1381.v2c3a instead of 1381.v2c3a_12074da_b_), and that behavior actually matches the API response:

          "events": [
            {
              "introduced": "1372"
            },
            {
              "fixed": "1381.v2c3a"
            }
          ]

I can confirm the frontend version display itself isn't the problem because of examples like: https://osv.dev/vulnerability/RHSA-2025:13464 where underscores are displayed normally, so this is likely a GHSA upstream issue.

I did, however, discover a separate minor frontend bug where version numbers in vulnerability descriptions were incorrectly formatted (treating _ as italic Markdown markers). This doesn't break functionality but affects readability - fixed in #3785

ashmod avatar Aug 09 '25 22:08 ashmod

Seems to be done now.

another-rex avatar Sep 16 '25 00:09 another-rex