google
creation of false vulnerable ranges in GIT ecosystem
Describe the bug I have seen consistent issues with the conversion of CVEs to OSV in the GIT ecosystem, In the examples I have given we see from NVD a clear definition of "from version X until version Y are affected by this vulnerability" but in OSV, the range start with "commit 0" meaning all version before, leading to a false positive identification.
And in some cases, there is no range given at all in NVD, but the OSV entry still uses "introduced 0" in the ranges.
The bug is that OSV places a non-existent introduced commit to the vulnerability, resulting in false positives
To Reproduce
- open OSV cve-2022-33967
- Go to the affected packages
- Press on the Git ecosystem
- You will see inside the "events", "introduced 0"
- Go to NIST CVE-2022-33967
- Scroll down to the "Known Affected software configuration"
- You will not find that the range of the vulnerability starts at the first iteration
Expected behaviour Introduced range containing the first affected commit of the vulnerability, Or maybe not display it at all and only use the versions(tag) list to reduce the false positive.
Screenshots
Additional context For context, I was searching for vulnerabilities affecting u-boot v2018.09
this is the data quality issue i opened incase this is not a bug https://github.com/google/osv.dev/issues/3519