-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Grouping multiple unrelated Git repos into a single "affected" entry is confusing #2334
Comments
@andrewpollock would be the best person to address this, but he's out-of-office until next week. |
✨ Thank you for your interest in OSV.dev's data quality! ✨ Please review our FAQ entry on how to most efficiently have this addressed. |
Hi @Bo98 I'm sorry you're finding this behaviour confusing. Do you have any suggestions on what would be helpful here? (please reopen with any concrete suggestions if you have them)
In short, this is not a correct interpretation, see below. The relevant code: Lines 529 to 602 in dd9566e
So looking at https://api.osv.dev/v1/vulns/CVE-2020-8927 specifically:
is derived from the relevant tags present in any of the three of the repos from the relevant ranges:
Proof:
|
Your example demonstrates the problem a bit. The v1.1.0 tag is ambiguous. You identified it to apply to dotnet/core and google/brotli. However this is not correct as the last affected version for google/brotli is v1.0.7. It's seemingly impossible to use the Not sure what happened to the powershell/powershell repo as affected range there is v7.0.0 to <v7.0.9 according to the git commit ranges. That's why I intially interpreted it to be the first repo only. |
The problem really is merging git repos into one entry defeats the purpose of
As there's no information to tell which repo I've updated my code to ignore any vulnerability with multiple git repos. Does mean I lose some CVE coverage but is likely the best I can do here. |
Thanks for the feedback @Bo98 ! I think there's a great point to be made here to separate the That said -- could you please explain a bit how you are making use of the |
I have a set of packages/dependencies where I know what git tag is being used but would need to clone the repo in order to do a commit comparison. In particular, I may not even have the git repo cloned. For example, I may have a brotli dependency that uses https://github.com/google/brotli/archive/refs/tags/v1.1.0.tar.gz. From that I know the git tag - it's I already use |
Example: CVE-2020-8927
Multiple unrelated git repos are grouped into a single
affected
entry, which leads to a confusing "affected versions" list which seemingly only applies to the first git repo (at least in this example - is this guaranteed?).Perhaps it would be more clear if the git repos were separated into individual entries with their own versions array?
The text was updated successfully, but these errors were encountered: