osv.dev icon indicating copy to clipboard operation
osv.dev copied to clipboard
verified publisher icon google

Data quality issue with CVE-2021-46703

Open wenottingham opened this issue 2 months ago • 4 comments

The CVE ID https://osv.dev/vulnerability/CVE-2021-46703

Describe the data quality issue observed This shows as withdrawn as of May 15th of this year.

There is no obvious withdrawn statement on https://nvd.nist.gov/vuln/detail/CVE-2021-46703

Suggested changes to record

Clarification on whether this is really withdrawn,.

Additional context The converted data linked in the record (https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-46703.json) 404s.

wenottingham avatar Oct 06 '25 16:10 wenottingham

:sparkles: Thank you for your interest in OSV.dev's data quality! :sparkles:

Please review our FAQ entry on how to most efficiently have this addressed.

github-actions[bot] avatar Oct 06 '25 16:10 github-actions[bot]

Hi @wenottingham, thanks for bringing this to our attention! From the looks of things, what might have happened is that prior to May of last year, we may have been able to convert this. Sometime before then a regression was likely introduced that changed the version extracted from '4.5.1-alpha001' to '4.5.1', and because the 4.5.1 tag doesn't exist in the repository, we are unable to successfully convert it (as there is no associated commit). When a record is unable to successfully convert, it is deleted from our bucket, and then the record would be marked as withdrawn on our end.

In terms of actionability of this issue: we are working on some things to help improve our conversion fidelity, but unfortunately, I'm not sure this record will end up covered by those improvements. I'll look into if there is anything else we can do but for now it seems unlikely any other progress will be made on this in the short term. Luckily, the GHSA record is still there, and more accurate so I'd recommend using that as reference for now.

jess-lowe avatar Oct 07 '25 02:10 jess-lowe

When a record is unable to successfully convert, it is deleted from our bucket, and then the record would be marked as withdrawn on our end.

If I were to suggest: maybe that last part shouldn't happen? (the marking as withdrawn)

wenottingham avatar Oct 07 '25 17:10 wenottingham

Yeah, I can see how it might be confusing to users. I'll discuss with the team about a better solution.

jess-lowe avatar Oct 07 '25 22:10 jess-lowe