Ubuntu data set to ignored showing up in OSV.dev

[dodys]

I think there is a related problem with entries that the Ubuntu team set to "Ignored". The entries in the original Ubuntu JSON list the versions but without a "fixed" entry. This results in many false positive hits in our pipelines currently.

I think this is a flaw in the Ubuntu JSON sources but I post here for awareness.

Example:

• The CVE-2015-4852 entry on OSV.dev list Ubuntu:24.04:LTS as affected
• The corresponding JSON from Ubuntu lists it as "not fixed" (see below)
• The Ubuntu Security website lists the CVE as ignored

{
      "package": {
        "ecosystem": "Ubuntu:24.04:LTS",
        "name": "openjdk-8",
        "purl": "pkg:deb/ubuntu/openjdk-8@8u452-ga~us1-0ubuntu1~24.04?arch=source&distro=noble"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            }
          ]
        }
      ],
      "versions": [
        "8u382-ga-1ubuntu1",
        "8u392-ga-1",
        "8u402-ga-1",
        "8u402-ga-2",
        "8u402-ga-2ubuntu1",
        "8u402-ga-2ubuntu6",
        "8u402-ga-2ubuntu7",
        "8u402-ga-8build1",
        "8u412-ga-1~24.04.2",
        "8u422-b05-1~24.04",
        "8u432-ga~us1-0ubuntu2~24.04",
        "8u442-b06~us1-0ubuntu1~24.04",
        "8u452-ga~us1-0ubuntu1~24.04"
      ],
      "ecosystem_specific": {
        "ubuntu_priority": "high"
      }
    }

Originally posted by @landesfeind in #3426