GHSA-c5pj-mqfh-rvc3 Still in osv

[zhangzhenyu2]

GHSA-c5pj-mqfh-rvc3 "Runc allows an arbitrary systemd property to be injected" is a misunderstood vulnerability. Users do NOT need to update runc

opencontainers/runc#4263

but
https://storage.googleapis.com/osv-vulnerabilities/index.html?prefix=Go/
Still in osv

[michaelkedar]

The JSON record for GHSA-c5pj-mqfh-rvc3 has it marked as withdrawn:

"id": "GHSA-c5pj-mqfh-rvc3",
"modified": "2024-06-05T18:30:34Z",
"published": "2024-04-26T06:30:34Z",
"withdrawn": "2024-04-30T09:37:23Z",

I believe it is intended that we export withdrawn vulnerabilities.

Edit: Found the relevant FAQ entry: https://google.github.io/osv.dev/faq/#how-does-osvdev-handle-withdrawn-records

[github-actions]

✨ Thank you for your interest in OSV.dev's data quality! ✨

Please review our FAQ entry on how to most efficiently have this addressed.

[andrewpollock]

Based on:

https://osv.dev/GHSA-c5pj-mqfh-rvc3 clearly marks the record as withdrawn
and
https://osv.dev/GHSA-c5pj-mqfh-rvc3.json has the withdrawn field set

I don't think there is anything actionable here. As @michaelkedar has pointed out, the behaviour of the withdrawn field is documented in the FAQ so I don't believe there is anything actionable here. Please reopen with specifics if you feel differently.