Support for versions in all advisories

[rtfpessoa]

While querying the data in OSV I noticed that Packagist, Go, NPM and Crates.io have mostly affected ranges and no affected versions.

Is there a plan to support affected versions for these ecosystems?

[oliverchang]

Packagist support is tracked in https://github.com/google/osv.dev/issues/230.

Go, npm, and crates.io use SEMVER, where enumerating versions is not a requirement. To evaluate them, one can use the defined events instead according to the evaluation algorithm.

In particular for Go, because every commit can be mapped to a pseudoversion, it's not really feasible to do so.

May we understand your use case for these a bit more?

[rtfpessoa]

My current use case was trying to insert all versions in a database and do a live join between active versions and the advisory versions. With the ranges it becomes impossible to do that.

[donchkat]

I have a database I maintain which lists per package and it's CVE all the affected versions, and having the versions in GO and npm will make the work much easier. Maybe you can bring the affected versions data from NVD, the CPE section has a list of affected versions in the specified range. For example CVE-2023-0742 in NVD has a list of affected versions:

Of course it won't cover all the pseudoversions of GO but it's better than nothing.