Support Clojars for version enumeration

google / osv.dev

Open source vulnerability DB and triage service.

https://osv.dev

Apache License 2.0

1.53k stars 188 forks source link

Support Clojars for version enumeration #1226

Open lkoskela opened 1 year ago

lkoskela commented 1 year ago

It looks like GHSA-cp4w-6x4w-v2h5 is not recognized by the OSV API for this request:

curl -X POST -d \
  '{"version": "1.13.95", "package": {"name": "lambdaisland:uri", "ecosystem": "Maven"}}' \
  "https://api.osv.dev/v1/query"

The OSV database contains introduced/fixed metadata that seems like the above curl should yield (at least) GHSA-cp4w-6x4w-v2h5 but instead I get back an empty object.

oliverchang commented 1 year ago

Thanks for the report!

It looks like "lambdaisland:uri" lives in the Clojars repository, which we do not index. We only index Maven Central packages for serving query responses.

I'll reword this issue to reflect this.

marton-cf commented 11 months ago

I've ran into the exact same issue. It's very confusing that a vulnerability that shows up in the metadata index is not returned by the API.

github-actions[bot] commented 3 months ago

This issue has not had any activity for 60 days and will be automatically closed in two weeks

github-actions[bot] commented 1 month ago

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.