github-actions[bot]
commented
3 months ago This issue has not had any activity for 60 days and will be automatically closed in two weeks
Open another-rex opened 11 months ago
github-actions[bot]
commented
3 months ago This issue has not had any activity for 60 days and will be automatically closed in two weeks
andrewpollock
commented
3 months ago We had shades of this problem recently with the Bitnami ecosystem in https://github.com/bitnami/vulndb/issues/336, because it's also essentially an "aggregator" from multiple ecosystems with disparate versioning schemes. If I recall correctly, they managed to successfully converge on SEMVER for all of their versioning.
Once #2401 is complete, this ecosystem could presumably just express ranges as ECOSYSTEM where necessary/appropriate and they wouldn't need to be coerced to SEMVER at import time?
/cc @calebbrown
github-actions[bot]
commented
1 month ago This issue has not had any activity for 60 days and will be automatically closed in two weeks
See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.
Describe the bug https://osv.dev/vulnerability/MAL-2023-8369 is an example of a SEMVER affected version range in PyPI, which is not a SemVer version.
To Reproduce Try to query the telethon2 package with any version and it will not return that advisory
Expected behaviour The advisory to be returned
Additional context For malicious packages specifically, they generally get removed from the repositories, so we can't enumerate versions. We need some sort of wildcard version that matches all versions, for non-semver ecosystems.