google
Create repo purls for GIT ecosystem ranges
The CVE ID https://osv.dev/vulnerability/CVE-2019-25219
Describe the data quality issue observed
PURL entries are provided for the Debians. The Git repo could also have a PURL, in this case: pkg:generic/github.com/chriskohlhoff/asio@asio-x-y-z where the version comes from the tagging scheme used in that repo.
Suggested changes to record Add a PURL for the Git repo. This supports the use case where the code is being packaged directly by the consumer, as opposed to installed via the Debian.
:sparkles: Thank you for your interest in OSV.dev's data quality! :sparkles:
Please review our FAQ entry on how to most efficiently have this addressed.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @bwt-sloanj, thanks for reporting! While we definitely agree that pURLs would be very useful, we are beholden to the data we get from upstream sources. In this case, the upstream source is the NVD, which do not provide pURLs currently.
We would love to accept a contribution for a reliable and scalable pURL converter for git repositories if anyone were willing to attempt it :)
This issue has not had any activity for 60 days and will be automatically closed in two weeks
See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.